Package: xdg-utils / 1.1.0~rc1+git20111210-7.4+deb8u1

Metadata

Package Version Patches format
xdg-utils 1.1.0~rc1+git20111210-7.4+deb8u1 3.0 (quilt)

Patch series

view the series file
Patch File delta Description
xdg email envvar.diff | (download)

scripts/xdg-email.in | 25 25 + 0 - 0 !
1 file changed, 25 insertions(+)

 add $mailer support to xdg-email.
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=6615
Bug-Debian: http://bugs.debian.org/574131
xdg email mutt detect.diff | (download)

scripts/xdg-email.in | 10 10 + 0 - 0 !
1 file changed, 10 insertions(+)

 fallback to mutt if ~/.muttrc exists.
xdg open browser multiword.diff | (download)

scripts/xdg-open.in | 2 2 + 0 - 0 !
1 file changed, 2 insertions(+)

 fix support for multi-word $browser commands.
xdg open printf.diff | (download)

scripts/xdg-open.in | 6 5 + 1 - 0 !
1 file changed, 5 insertions(+), 1 deletion(-)

 use /usr/bin/printf if available when decoding urls.
 dash's printf doesn't understand \xHH sequences.
xdg screensaver new gnome.diff | (download)

scripts/xdg-screensaver.in | 56 48 + 8 - 0 !
1 file changed, 48 insertions(+), 8 deletions(-)

 use dbus api for gnome since gnome-screensaver-command --poke
	has been removed
xdg open spaces.diff | (download)

scripts/xdg-open.in | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

---
xdg open escape sed.diff | (download)

scripts/xdg-open.in | 3 2 + 1 - 0 !
1 file changed, 2 insertions(+), 1 deletion(-)

---
no X.diff | (download)

scripts/xdg-email.in | 2 1 + 1 - 0 !
scripts/xdg-open.in | 33 21 + 12 - 0 !
2 files changed, 22 insertions(+), 13 deletions(-)

---
fix bashism use of echo.patch | (download)

scripts/xdg-email.in | 8 4 + 4 - 0 !
1 file changed, 4 insertions(+), 4 deletions(-)

 use /bin/echo -e instead of echo -e in xdg-email
command injection.patch | (download)

scripts/xdg-open.in | 6 3 + 3 - 0 !
1 file changed, 3 insertions(+), 3 deletions(-)

 [patch] xdg-open: command injection vulnerability (br66670)
xdg open safe.diff | (download)

scripts/xdg-open.in | 38 28 + 10 - 0 !
1 file changed, 28 insertions(+), 10 deletions(-)

 fix safety of de-agnostic xdg-open
 Let the shell do the splitting of the command contained in the
 .desktop file (set -- $(sed ...)).
 . 
 Use "$@" behaving like an array. We cannot modify this array but we
 can append to it (with set -- "$@" "$newarg"). Basically, we take
 $command_exec and then shift. Then, we iterate on each argument using
 a counter and if the argument needs to be modified (because this is
 the place holder), we append the modified version, otherwise, we
 append it unmodified. At the end, "$@" is the array of arguments to
 be passed to "$command_exec". If no replacement has happened, we also
 append the target file.
 .
 No magic quoting is done, no evaluation. I think this is a safe
 alternative to the current script. I can also push it upstream.


CVE 2015 1877.patch | (download)

scripts/xdg-open.in | 10 5 + 5 - 0 !
1 file changed, 5 insertions(+), 5 deletions(-)

 cve-2015-1877: command injection vulnerability due to local variables collision
CVE 2017 18266.patch | (download)

scripts/xdg-open.in | 13 10 + 3 - 0 !
1 file changed, 10 insertions(+), 3 deletions(-)

 fix argument injection when browser is launched