diff options
author | Patrick J Volkerding <volkerdi@slackware.com> | 2009-08-26 10:00:38 -0500 |
---|---|---|
committer | Eric Hameleers <alien@slackware.com> | 2018-05-31 22:41:17 +0200 |
commit | 5a12e7c134274dba706667107d10d231517d3e05 (patch) | |
tree | 55718d5acb710fde798d9f38d0bbaf594ed4b296 /source/x/xdg-utils | |
download | current-5a12e7c134274dba706667107d10d231517d3e05.tar.gz current-5a12e7c134274dba706667107d10d231517d3e05.tar.xz |
Slackware 13.0slackware-13.0
Wed Aug 26 10:00:38 CDT 2009
Slackware 13.0 x86_64 is released as stable! Thanks to everyone who
helped make this release possible -- see the RELEASE_NOTES for the
credits. The ISOs are off to the replicator. This time it will be a
6 CD-ROM 32-bit set and a dual-sided 32-bit/64-bit x86/x86_64 DVD.
We're taking pre-orders now at store.slackware.com. Please consider
picking up a copy to help support the project. Once again, thanks to
the entire Slackware community for all the help testing and fixing
things and offering suggestions during this development cycle.
As always, have fun and enjoy! -P.
Diffstat (limited to 'source/x/xdg-utils')
-rw-r--r-- | source/x/xdg-utils/doinst.sh | 100 | ||||
-rw-r--r-- | source/x/xdg-utils/slack-desc | 19 | ||||
-rwxr-xr-x | source/x/xdg-utils/xdg-utils-cvs_checkout.sh | 17 | ||||
-rwxr-xr-x | source/x/xdg-utils/xdg-utils.SlackBuild | 77 | ||||
-rw-r--r-- | source/x/xdg-utils/xdg-utils.info | 2 |
5 files changed, 215 insertions, 0 deletions
diff --git a/source/x/xdg-utils/doinst.sh b/source/x/xdg-utils/doinst.sh new file mode 100644 index 000000000..4d72a9617 --- /dev/null +++ b/source/x/xdg-utils/doinst.sh @@ -0,0 +1,100 @@ +#!/bin/sh +# Regarding xdg-open in /etc/mailcap: +# +# It turns out that xdg-open is not very smart about what it +# passes off control to, leading to security problems where (for +# example) a file could be provided on a web site as a PDF, but +# rather than send it to a PDF viewer, xdg-open sends it to kfmclient +# which uses a whole different set of criteria to determine what sort +# of file it is. It's trivial to make something that's detected as +# a PDF at first, but then is executed as a .desktop file later, +# resulting in the execution of arbitrary code as the user. +# +# This is not acceptable, and we see no way to fix it as long as +# xdg-open passes off the resolution of the file type (again) to +# something else. In light of the potential security risks, we +# will turn off the use of xdg-open if it appears to have been +# added by a previous version of the xdg-utils package. +# +# Vulnerability code: CVE-2009-0068 + +# First, we will detect an automatically modified mailcap by +# looking for the comment "# Sample xdg-open entries:" + +if [ -r etc/mailcap ]; then + if grep -q "^# Sample xdg-open entries:$" etc/mailcap ; then + + COOKIE=$(usr/bin/mcookie) + if [ -z $COOKIE ]; then + exit 1 + fi + + # First, add a space to the end of the comment used to detect this + # junk so that we won't detect it again (in case the user decides + # to enable this themselves later on -- their call). Add a warning + # about this type of xdg-open use being insecure. Finally, comment + # out any lines like this. + + echo "# Sample xdg-open entries: " > tmp/mailcap-$COOKIE + cat << EOF >> tmp/mailcap-$COOKIE +# +# NOTE: Using xdg-open in /etc/mailcap in this way has been +# shown to be insecure and is not recommended (CVE-2009-0068)! +# A remote attacker can easily make a filetype such as a +# .desktop script appear to xdg-open as a PDF file causing its +# arbitrary contents to be executed. Consider these to be +# examples of what NOT to do. The xdg-utils package no longer +# adds any lines such as these to /etc/mailcap. +# +EOF + cat etc/mailcap \ + | grep -v "# Sample xdg-open entries:" \ + | sed -e 's/^audio\/\*; \/usr\/bin\/xdg-open %s/#audio\/\*; \/usr\/bin\/xdg-open %s/g' \ + | sed -e 's/^image\/\*; \/usr\/bin\/xdg-open %s/#image\/\*; \/usr\/bin\/xdg-open %s/g' \ + | sed -e 's/^application\/msword; \/usr\/bin\/xdg-open %s/#application\/msword; \/usr\/bin\/xdg-open %s/g' \ + | sed -e 's/^application\/pdf; \/usr\/bin\/xdg-open %s/#application\/pdf; \/usr\/bin\/xdg-open %s/g' \ + | sed -e 's/^application\/postscript ; \/usr\/bin\/xdg-open %s/#application\/postscript ; \/usr\/bin\/xdg-open %s/g' \ + | sed -e 's/^text\/html; \/usr\/bin\/xdg-open %s ; copiousoutput/#text\/html; \/usr\/bin\/xdg-open %s ; copiousoutput/g' >> tmp/mailcap-$COOKIE + + cat tmp/mailcap-$COOKIE > etc/mailcap + rm -f tmp/mailcap-$COOKIE + + fi +fi + +## BEGIN (HERE IS WHAT CAUSED THIS MESS): + +## Add some reasonable default values for xdg-open to /etc/mailcap, +## since this is where many programs look for this information: +# +#if ! grep -q '# Sample xdg-open entries:' etc/mailcap 1> /dev/null 2> /dev/null ; then +# echo "# Sample xdg-open entries:" >> etc/mailcap +# echo >> etc/mailcap +#fi +#if ! grep -q 'audio/' etc/mailcap ; then +# echo 'audio/*; /usr/bin/xdg-open %s' >> etc/mailcap +# echo >> etc/mailcap +#fi +#if ! grep -q 'image/' etc/mailcap ; then +# echo 'image/*; /usr/bin/xdg-open %s' >> etc/mailcap +# echo >> etc/mailcap +#fi +#if ! grep -q 'application/msword' etc/mailcap ; then +# echo 'application/msword; /usr/bin/xdg-open %s' >> etc/mailcap +# echo >> etc/mailcap +#fi +#if ! grep -q 'application/pdf' etc/mailcap ; then +# echo 'application/pdf; /usr/bin/xdg-open %s' >> etc/mailcap +# echo >> etc/mailcap +#fi +#if ! grep -q 'application/postscript' etc/mailcap ; then +# echo 'application/postscript ; /usr/bin/xdg-open %s' >> etc/mailcap +# echo >> etc/mailcap +#fi +#if ! grep -q '#text/html' etc/mailcap ; then +# echo '#text/html; /usr/bin/xdg-open %s ; copiousoutput' >> etc/mailcap +# echo >> etc/mailcap +#fi + +## END + diff --git a/source/x/xdg-utils/slack-desc b/source/x/xdg-utils/slack-desc new file mode 100644 index 000000000..ef97cc6d6 --- /dev/null +++ b/source/x/xdg-utils/slack-desc @@ -0,0 +1,19 @@ +# HOW TO EDIT THIS FILE: +# The "handy ruler" below makes it easier to edit a package description. Line +# up the first '|' above the ':' following the base package name, and the '|' +# on the right side marks the last column you can put a character in. You must +# make exactly 11 lines for the formatting to be correct. It's also +# customary to leave one space after the ':'. + + |-----handy-ruler------------------------------------------------------| +xdg-utils: xdg-utils (command line tools that assist applications) +xdg-utils: +xdg-utils: Xdg-utils is a set of command line tools that assist applications +xdg-utils: with a variety of desktop integration tasks. About half of the +xdg-utils: tools focus on tasks commonly required during the installation of +xdg-utils: a desktop application and the other half focuses on integration +xdg-utils: with the desktop environment while the application is running. +xdg-utils: +xdg-utils: Homepage: http://portland.freedesktop.org/wiki/ +xdg-utils: +xdg-utils: diff --git a/source/x/xdg-utils/xdg-utils-cvs_checkout.sh b/source/x/xdg-utils/xdg-utils-cvs_checkout.sh new file mode 100755 index 000000000..74d7ba0e6 --- /dev/null +++ b/source/x/xdg-utils/xdg-utils-cvs_checkout.sh @@ -0,0 +1,17 @@ +#!/bin/bash + + +MODULE=$(basename $0 -cvs_checkout.sh) +DATE=$(date +%Y%m%d) + +set -x + +rm -rf $MODULE + +cvs -z3 -d:pserver:anonymous@cvs.freedesktop.org:/cvs/portland checkout -P portland/$MODULE +pushd portland +find . -name CVS -exec rm -rf "{}" \; 2> /dev/null +tar cjf ../$MODULE-${DATE}cvs.tar.bz2 $MODULE +popd + +rm -rf portland diff --git a/source/x/xdg-utils/xdg-utils.SlackBuild b/source/x/xdg-utils/xdg-utils.SlackBuild new file mode 100755 index 000000000..dcf1c5c2d --- /dev/null +++ b/source/x/xdg-utils/xdg-utils.SlackBuild @@ -0,0 +1,77 @@ +#!/bin/sh + +# Slackware build script for xdg-utils +# Written by Erik Hanson erik@slackbuilds.org +# Modified for CVS version by Patrick Volkerding <volkerdi@slackware.com> + +# Copyright 2008, 2009 Patrick J. Volkerding, Sebeka, MN, USA +# All rights reserved. +# +# Redistribution and use of this script, with or without modification, is +# permitted provided that the following conditions are met: +# +# 1. Redistributions of this script must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# +# THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR IMPLIED +# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF +# MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO +# EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, +# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, +# PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; +# OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, +# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR +# OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF +# ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + + +PRGNAM=xdg-utils +VERSION=1.0.2 +CVS=20090202cvs +ARCH=noarch +BUILD=${BUILD:-3} + +NUMJOBS=${NUMJOBS:-" -j7 "} + + +CWD=$(pwd) +TMP=${TMP:-/tmp} +PKG=$TMP/package-$PRGNAM + +rm -rf $PKG +mkdir -p $TMP $PKG + +cd $TMP || exit 1 +rm -rf $PRGNAM-$VERSION +tar xvf $CWD/$PRGNAM-$CVS.tar.bz2 || exit 1 +cd $PRGNAM || exit 1 +chown -R root:root . +find . \ + \( -perm 777 -o -perm 775 -o -perm 711 -o -perm 555 -o -perm 511 \) \ + -exec chmod 755 {} \; -o \ + \( -perm 666 -o -perm 664 -o -perm 600 -o -perm 444 -o -perm 440 -o -perm 400 \) \ + -exec chmod 644 {} \; + +./configure \ + --prefix=/usr \ + --sysconfdir=/etc \ + --localstatedir=/var \ + || exit 1 + +make $NUMJOBS || make || exit 1 +make install DESTDIR=$PKG || exit 1 + +gzip -9 $PKG/usr/man/man1/* + +mkdir -p $PKG/usr/doc/$PRGNAM-$VERSION +cp -a \ + LICENSE README RELEASE_NOTES TODO \ + $PKG/usr/doc/$PRGNAM-$VERSION + +mkdir -p $PKG/install +cat $CWD/slack-desc > $PKG/install/slack-desc +zcat $CWD/doinst.sh.gz > $PKG/install/doinst.sh + +cd $PKG +/sbin/makepkg -l y -c n $TMP/$PRGNAM-$VERSION-$ARCH-$BUILD.txz + diff --git a/source/x/xdg-utils/xdg-utils.info b/source/x/xdg-utils/xdg-utils.info new file mode 100644 index 000000000..6b5eaf5fa --- /dev/null +++ b/source/x/xdg-utils/xdg-utils.info @@ -0,0 +1,2 @@ +HOMEPAGE="http://portland.freedesktop.org/wiki/" +DOWNLOAD="http://portland.freedesktop.org/download/xdg-utils-1.0.2.tgz" |