Version in base suite: 4.16.0-1 Base version: exo_4.16.0-1 Target version: exo_4.16.0-1+deb11u1 Base file: /srv/ftp-master.debian.org/ftp/pool/main/e/exo/exo_4.16.0-1.dsc Target file: /srv/ftp-master.debian.org/policy/pool/main/e/exo/exo_4.16.0-1+deb11u1.dsc changelog | 8 ++ gbp.conf | 4 - patches/0001-exo-open-Only-execute-local-.desktop-files.patch | 40 ++++++++++ patches/series | 1 4 files changed, 51 insertions(+), 2 deletions(-) diff -Nru exo-4.16.0/debian/changelog exo-4.16.0/debian/changelog --- exo-4.16.0/debian/changelog 2020-12-23 12:16:42.000000000 +0000 +++ exo-4.16.0/debian/changelog 2022-06-18 12:17:06.000000000 +0000 @@ -1,3 +1,11 @@ +exo (4.16.0-1+deb11u1) stable-security; urgency=medium + + * d/patches: 0001-exo-open-Only-execute-local-.desktop-files.patch added + Fix CVE-2022-32278, exo allows executing .desktop files with remote URI + scheme. (Closes: #1013129) + + -- Yves-Alexis Perez Sat, 18 Jun 2022 14:17:06 +0200 + exo (4.16.0-1) unstable; urgency=medium * New upstream version 4.16.0 diff -Nru exo-4.16.0/debian/gbp.conf exo-4.16.0/debian/gbp.conf --- exo-4.16.0/debian/gbp.conf 2020-12-23 12:16:42.000000000 +0000 +++ exo-4.16.0/debian/gbp.conf 2022-06-18 12:17:06.000000000 +0000 @@ -1,4 +1,4 @@ [DEFAULT] pristine-tar = True -debian-branch = debian/master -upstream-branch = upstream/latest +debian-branch = debian/bullseye +upstream-branch = upstream/bullseye diff -Nru exo-4.16.0/debian/patches/0001-exo-open-Only-execute-local-.desktop-files.patch exo-4.16.0/debian/patches/0001-exo-open-Only-execute-local-.desktop-files.patch --- exo-4.16.0/debian/patches/0001-exo-open-Only-execute-local-.desktop-files.patch 1970-01-01 00:00:00.000000000 +0000 +++ exo-4.16.0/debian/patches/0001-exo-open-Only-execute-local-.desktop-files.patch 2022-06-18 12:17:06.000000000 +0000 @@ -0,0 +1,40 @@ +From c71c04ff5882b2866a0d8506fb460d4ef796de9f Mon Sep 17 00:00:00 2001 +From: MShrimp4 +Date: Mon, 6 Jun 2022 23:57:03 +0900 +Subject: [PATCH] exo-open : Only execute local .desktop files + +Issue #85 (Backported cc047717) +CVE-2022-32278 + +This patch prevents executing possibly malicious .desktop files +from online sources (ftp://, http:// etc.). + +Original patch authored by Alexander Schwinn +--- + exo-open/main.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +diff --git a/exo-open/main.c b/exo-open/main.c +index a471c788..0176bc34 100644 +--- a/exo-open/main.c ++++ b/exo-open/main.c +@@ -156,6 +156,16 @@ exo_open_launch_desktop_file (const gchar *arg) + if (G_UNLIKELY (gfile == NULL)) + return FALSE; + ++ /* Only execute local .desktop files to prevent execution of malicious launchers from foreign locations */ ++ if (g_file_has_uri_scheme (gfile, "file") == FALSE) ++ { ++ char *uri = g_file_get_uri (gfile); ++ g_warning ("Execution of remote .desktop file '%s' was skipped due to security concerns.", uri); ++ g_object_unref (gfile); ++ g_free (uri); ++ return FALSE; ++ } ++ + /* load the contents of the file */ + result = g_file_load_contents (gfile, NULL, &contents, &length, NULL, NULL); + g_object_unref (G_OBJECT (gfile)); +-- +2.36.1 + diff -Nru exo-4.16.0/debian/patches/series exo-4.16.0/debian/patches/series --- exo-4.16.0/debian/patches/series 1970-01-01 00:00:00.000000000 +0000 +++ exo-4.16.0/debian/patches/series 2022-06-18 12:17:06.000000000 +0000 @@ -0,0 +1 @@ +0001-exo-open-Only-execute-local-.desktop-files.patch