diff options
Diffstat (limited to 'source/x/xdg-utils')
-rw-r--r-- | source/x/xdg-utils/doinst.sh | 100 | ||||
-rw-r--r-- | source/x/xdg-utils/slack-desc | 19 | ||||
-rwxr-xr-x | source/x/xdg-utils/xdg-utils-cvs_checkout.sh | 17 | ||||
-rwxr-xr-x | source/x/xdg-utils/xdg-utils.SlackBuild | 77 | ||||
-rw-r--r-- | source/x/xdg-utils/xdg-utils.info | 2 |
5 files changed, 215 insertions, 0 deletions
diff --git a/source/x/xdg-utils/doinst.sh b/source/x/xdg-utils/doinst.sh new file mode 100644 index 00000000..4d72a961 --- /dev/null +++ b/source/x/xdg-utils/doinst.sh @@ -0,0 +1,100 @@ +#!/bin/sh +# Regarding xdg-open in /etc/mailcap: +# +# It turns out that xdg-open is not very smart about what it +# passes off control to, leading to security problems where (for +# example) a file could be provided on a web site as a PDF, but +# rather than send it to a PDF viewer, xdg-open sends it to kfmclient +# which uses a whole different set of criteria to determine what sort +# of file it is. It's trivial to make something that's detected as +# a PDF at first, but then is executed as a .desktop file later, +# resulting in the execution of arbitrary code as the user. +# +# This is not acceptable, and we see no way to fix it as long as +# xdg-open passes off the resolution of the file type (again) to +# something else. In light of the potential security risks, we +# will turn off the use of xdg-open if it appears to have been +# added by a previous version of the xdg-utils package. +# +# Vulnerability code: CVE-2009-0068 + +# First, we will detect an automatically modified mailcap by +# looking for the comment "# Sample xdg-open entries:" + +if [ -r etc/mailcap ]; then + if grep -q "^# Sample xdg-open entries:$" etc/mailcap ; then + + COOKIE=$(usr/bin/mcookie) + if [ -z $COOKIE ]; then + exit 1 + fi + + # First, add a space to the end of the comment used to detect this + # junk so that we won't detect it again (in case the user decides + # to enable this themselves later on -- their call). Add a warning + # about this type of xdg-open use being insecure. Finally, comment + # out any lines like this. + + echo "# Sample xdg-open entries: " > tmp/mailcap-$COOKIE + cat << EOF >> tmp/mailcap-$COOKIE +# +# NOTE: Using xdg-open in /etc/mailcap in this way has been +# shown to be insecure and is not recommended (CVE-2009-0068)! +# A remote attacker can easily make a filetype such as a +# .desktop script appear to xdg-open as a PDF file causing its +# arbitrary contents to be executed. Consider these to be +# examples of what NOT to do. The xdg-utils package no longer +# adds any lines such as these to /etc/mailcap. +# +EOF + cat etc/mailcap \ + | grep -v "# Sample xdg-open entries:" \ + | sed -e 's/^audio\/\*; \/usr\/bin\/xdg-open %s/#audio\/\*; \/usr\/bin\/xdg-open %s/g' \ + | sed -e 's/^image\/\*; \/usr\/bin\/xdg-open %s/#image\/\*; \/usr\/bin\/xdg-open %s/g' \ + | sed -e 's/^application\/msword; \/usr\/bin\/xdg-open %s/#application\/msword; \/usr\/bin\/xdg-open %s/g' \ + | sed -e 's/^application\/pdf; \/usr\/bin\/xdg-open %s/#application\/pdf; \/usr\/bin\/xdg-open %s/g' \ + | sed -e 's/^application\/postscript ; \/usr\/bin\/xdg-open %s/#application\/postscript ; \/usr\/bin\/xdg-open %s/g' \ + | sed -e 's/^text\/html; \/usr\/bin\/xdg-open %s ; copiousoutput/#text\/html; \/usr\/bin\/xdg-open %s ; copiousoutput/g' >> tmp/mailcap-$COOKIE + + cat tmp/mailcap-$COOKIE > etc/mailcap + rm -f tmp/mailcap-$COOKIE + + fi +fi + +## BEGIN (HERE IS WHAT CAUSED THIS MESS): + +## Add some reasonable default values for xdg-open to /etc/mailcap, +## since this is where many programs look for this information: +# +#if ! grep -q '# Sample xdg-open entries:' etc/mailcap 1> /dev/null 2> /dev/null ; then +# echo "# Sample xdg-open entries:" >> etc/mailcap +# echo >> etc/mailcap +#fi +#if ! grep -q 'audio/' etc/mailcap ; then +# echo 'audio/*; /usr/bin/xdg-open %s' >> etc/mailcap +# echo >> etc/mailcap +#fi +#if ! grep -q 'image/' etc/mailcap ; then +# echo 'image/*; /usr/bin/xdg-open %s' >> etc/mailcap +# echo >> etc/mailcap +#fi +#if ! grep -q 'application/msword' etc/mailcap ; then +# echo 'application/msword; /usr/bin/xdg-open %s' >> etc/mailcap +# echo >> etc/mailcap +#fi +#if ! grep -q 'application/pdf' etc/mailcap ; then +# echo 'application/pdf; /usr/bin/xdg-open %s' >> etc/mailcap +# echo >> etc/mailcap +#fi +#if ! grep -q 'application/postscript' etc/mailcap ; then +# echo 'application/postscript ; /usr/bin/xdg-open %s' >> etc/mailcap +# echo >> etc/mailcap +#fi +#if ! grep -q '#text/html' etc/mailcap ; then +# echo '#text/html; /usr/bin/xdg-open %s ; copiousoutput' >> etc/mailcap +# echo >> etc/mailcap +#fi + +## END + diff --git a/source/x/xdg-utils/slack-desc b/source/x/xdg-utils/slack-desc new file mode 100644 index 00000000..ef97cc6d --- /dev/null +++ b/source/x/xdg-utils/slack-desc @@ -0,0 +1,19 @@ +# HOW TO EDIT THIS FILE: +# The "handy ruler" below makes it easier to edit a package description. Line +# up the first '|' above the ':' following the base package name, and the '|' +# on the right side marks the last column you can put a character in. You must +# make exactly 11 lines for the formatting to be correct. It's also +# customary to leave one space after the ':'. + + |-----handy-ruler------------------------------------------------------| +xdg-utils: xdg-utils (command line tools that assist applications) +xdg-utils: +xdg-utils: Xdg-utils is a set of command line tools that assist applications +xdg-utils: with a variety of desktop integration tasks. About half of the +xdg-utils: tools focus on tasks commonly required during the installation of +xdg-utils: a desktop application and the other half focuses on integration +xdg-utils: with the desktop environment while the application is running. +xdg-utils: +xdg-utils: Homepage: http://portland.freedesktop.org/wiki/ +xdg-utils: +xdg-utils: diff --git a/source/x/xdg-utils/xdg-utils-cvs_checkout.sh b/source/x/xdg-utils/xdg-utils-cvs_checkout.sh new file mode 100755 index 00000000..74d7ba0e --- /dev/null +++ b/source/x/xdg-utils/xdg-utils-cvs_checkout.sh @@ -0,0 +1,17 @@ +#!/bin/bash + + +MODULE=$(basename $0 -cvs_checkout.sh) +DATE=$(date +%Y%m%d) + +set -x + +rm -rf $MODULE + +cvs -z3 -d:pserver:anonymous@cvs.freedesktop.org:/cvs/portland checkout -P portland/$MODULE +pushd portland +find . -name CVS -exec rm -rf "{}" \; 2> /dev/null +tar cjf ../$MODULE-${DATE}cvs.tar.bz2 $MODULE +popd + +rm -rf portland diff --git a/source/x/xdg-utils/xdg-utils.SlackBuild b/source/x/xdg-utils/xdg-utils.SlackBuild new file mode 100755 index 00000000..dcf1c5c2 --- /dev/null +++ b/source/x/xdg-utils/xdg-utils.SlackBuild @@ -0,0 +1,77 @@ +#!/bin/sh + +# Slackware build script for xdg-utils +# Written by Erik Hanson erik@slackbuilds.org +# Modified for CVS version by Patrick Volkerding <volkerdi@slackware.com> + +# Copyright 2008, 2009 Patrick J. Volkerding, Sebeka, MN, USA +# All rights reserved. +# +# Redistribution and use of this script, with or without modification, is +# permitted provided that the following conditions are met: +# +# 1. Redistributions of this script must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# +# THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR IMPLIED +# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF +# MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO +# EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, +# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, +# PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; +# OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, +# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR +# OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF +# ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + + +PRGNAM=xdg-utils +VERSION=1.0.2 +CVS=20090202cvs +ARCH=noarch +BUILD=${BUILD:-3} + +NUMJOBS=${NUMJOBS:-" -j7 "} + + +CWD=$(pwd) +TMP=${TMP:-/tmp} +PKG=$TMP/package-$PRGNAM + +rm -rf $PKG +mkdir -p $TMP $PKG + +cd $TMP || exit 1 +rm -rf $PRGNAM-$VERSION +tar xvf $CWD/$PRGNAM-$CVS.tar.bz2 || exit 1 +cd $PRGNAM || exit 1 +chown -R root:root . +find . \ + \( -perm 777 -o -perm 775 -o -perm 711 -o -perm 555 -o -perm 511 \) \ + -exec chmod 755 {} \; -o \ + \( -perm 666 -o -perm 664 -o -perm 600 -o -perm 444 -o -perm 440 -o -perm 400 \) \ + -exec chmod 644 {} \; + +./configure \ + --prefix=/usr \ + --sysconfdir=/etc \ + --localstatedir=/var \ + || exit 1 + +make $NUMJOBS || make || exit 1 +make install DESTDIR=$PKG || exit 1 + +gzip -9 $PKG/usr/man/man1/* + +mkdir -p $PKG/usr/doc/$PRGNAM-$VERSION +cp -a \ + LICENSE README RELEASE_NOTES TODO \ + $PKG/usr/doc/$PRGNAM-$VERSION + +mkdir -p $PKG/install +cat $CWD/slack-desc > $PKG/install/slack-desc +zcat $CWD/doinst.sh.gz > $PKG/install/doinst.sh + +cd $PKG +/sbin/makepkg -l y -c n $TMP/$PRGNAM-$VERSION-$ARCH-$BUILD.txz + diff --git a/source/x/xdg-utils/xdg-utils.info b/source/x/xdg-utils/xdg-utils.info new file mode 100644 index 00000000..6b5eaf5f --- /dev/null +++ b/source/x/xdg-utils/xdg-utils.info @@ -0,0 +1,2 @@ +HOMEPAGE="http://portland.freedesktop.org/wiki/" +DOWNLOAD="http://portland.freedesktop.org/download/xdg-utils-1.0.2.tgz" |