diff --git a/Thunar.spec b/Thunar.spec index e70c1cd..8331c50 100644 --- a/Thunar.spec +++ b/Thunar.spec @@ -1,9 +1,9 @@ %global _hardened_build 1 -%global xfceversion 4.16 +%global xfceversion 4.14 Name: Thunar -Version: 1.8.17 -Release: 2 +Version: 1.8.15 +Release: 3 Summary: Thunar File Manager #Group: Development/Libraries License: GPLv2+ @@ -13,18 +13,19 @@ Source1: thunar-sendto-gnome-bluetooth.desktop Source2: thunar-sendto-audacious-playlist.desktop Source3: thunar-sendto-quodlibet-playlist.desktop Source4: thunar-sendto-blueman.desktop +Patch0: fix-CVE-2021-32563.patch BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) #BuildArch: noarch BuildRequires: gcc-c++ BuildRequires: pkgconfig(dbus-glib-1) >= 0.34 -BuildRequires: exo-devel +BuildRequires: pkgconfig(exo-1) >= 0.12.0 BuildRequires: pkgconfig(gudev-1.0) >= 145 BuildRequires: pkgconfig(libexif) >= 0.6.0 BuildRequires: pkgconfig(libpcre) >= 6.0 BuildRequires: pkgconfig(libstartup-notification-1.0) >= 0.4 BuildRequires: pkgconfig(libnotify) >= 0.4.0 -BuildRequires: pkgconfig(libxfce4ui-2) >= %{xfceversion} -BuildRequires: pkgconfig(libxfce4panel-2.0) >= %{xfceversion} +BuildRequires: pkgconfig(libxfce4ui-1) >= %{xfceversion} +BuildRequires: pkgconfig(libxfce4panel-1.0) >= %{xfceversion} BuildRequires: libSM-devel BuildRequires: freetype-devel BuildRequires: libpng-devel >= 2:1.2.2-16 @@ -63,8 +64,8 @@ Requires: %{name} = %{version}-%{release} Thunarx GTK documentation files for the Thunar file manager. %prep -%autosetup -n thunar-%{version} - +%setup -n thunar-%{version} +%patch0 -p1 # fix icon in thunar-sendto-email.desktop sed -i 's!internet-mail!mail-message-new!' \ plugins/thunar-sendto-email/thunar-sendto-email.desktop.in.in @@ -173,12 +174,8 @@ done %{_datadir}/gtk-doc/html/thunarx/* %changelog -* Thu Aug 05 2021 lin.zhang - 1.8.17-2 -- Fix BuildRequires: pkgconfig(libxfce4ui-1) pkgconfig(libxfce4panel-1.0) pkgconfig(exo-1) - -* Fri May 21 2021 lin.zhang - 1.8.17-1 -- update to 1.8.17-1 -- fix CVE-2021-32563 +* Fri May 21 2021 lin.zhang - 1.8.15-3 +- add fix-CVE-2021-32563.patch * Thu Jul 9 2020 Dillon Chen - 1.8.15-1 - Init package diff --git a/fix-CVE-2021-32563.patch b/fix-CVE-2021-32563.patch new file mode 100644 index 0000000..1b31415 --- /dev/null +++ b/fix-CVE-2021-32563.patch @@ -0,0 +1,160 @@ +diff -uNr thunar-1.8.15.orig/docs/Thunar.xml thunar-1.8.15/docs/Thunar.xml +--- thunar-1.8.15.orig/docs/Thunar.xml 2020-05-10 17:54:14.000000000 +0800 ++++ thunar-1.8.15/docs/Thunar.xml 2021-05-21 16:07:29.326702880 +0800 +@@ -48,9 +48,9 @@ + + Invocation + +- Thunar takes a list of URIs for folders that should be +- opened in new file manager windows or files that should be run using the default application for their +- types. The URIs may be specified as either file: ++ Thunar takes a list of URIs for files/folders that should be ++ opened in new file manager windows. ++ The URIs may be specified as either file: + or trash: URIs, absolute paths or paths relative to the current directory + from which Thunar is being invoked. If no URIs are specified, + the current folder will be opened in a new file manager window. +diff -uNr thunar-1.8.15.orig/thunar/thunar-application.c thunar-1.8.15/thunar/thunar-application.c +--- thunar-1.8.15.orig/thunar/thunar-application.c 2020-05-24 20:27:08.000000000 +0800 ++++ thunar-1.8.15/thunar/thunar-application.c 2021-05-21 16:15:06.977921451 +0800 +@@ -207,6 +207,7 @@ + #endif + + GList *files_to_launch; ++ ThunarApplicationProcessAction process_file_action; + + guint dbus_owner_id_xfce; + guint dbus_owner_id_fdo; +@@ -276,6 +277,7 @@ + * in the primary instance anyways */ + + application->files_to_launch = NULL; ++ application->process_file_action = THUNAR_APPLICATION_SELECT_FILES; + application->progress_dialog = NULL; + application->preferences = NULL; + +@@ -529,7 +531,7 @@ + } + else if (filenames != NULL) + { +- if (!thunar_application_process_filenames (application, cwd, filenames, NULL, NULL, &error)) ++ if (!thunar_application_process_filenames (application, cwd, filenames, NULL, NULL, &error,THUNAR_APPLICATION_SELECT_FILES)) + { + /* we failed to process the filenames or the bulk rename failed */ + g_application_command_line_printerr (command_line, "Thunar: %s\n", error->message); +@@ -537,7 +539,7 @@ + } + else if (!daemon) + { +- if (!thunar_application_process_filenames (application, cwd, cwd_list, NULL, NULL, &error)) ++ if (!thunar_application_process_filenames (application, cwd, cwd_list, NULL, NULL, &error,THUNAR_APPLICATION_SELECT_FILES)) + { + /* we failed to process the filenames or the bulk rename failed */ + g_application_command_line_printerr (command_line, "Thunar: %s\n", error->message); +@@ -1507,8 +1509,27 @@ + } + else + { +- /* try to open the file or directory */ +- thunar_file_launch (target_file, screen, startup_id, &error); ++ if (application->process_file_action == THUNAR_APPLICATION_LAUNCH_FILES) ++ { ++ /* try to launch the file / open the directory */ ++ thunar_file_launch (target_file, screen, startup_id, &error); ++ } ++ else if (thunar_file_is_directory (file)) ++ { ++ thunar_application_open_window (application, file, screen, startup_id, FALSE); ++ } ++ else ++ { ++ /* Note that for security reasons we do not execute files passed via command line */ ++ /* Lets rather open the containing directory */ ++ ThunarFile *parent = thunar_file_get_parent (file, NULL); ++ ++ if (G_LIKELY (parent != NULL)) ++ { ++ thunar_application_open_window (application, parent, screen, startup_id, FALSE); ++ g_object_unref (parent); ++ } ++ } + + /* remove the file from the list */ + application->files_to_launch = g_list_delete_link (application->files_to_launch, +@@ -1577,18 +1598,20 @@ + * @startup_id : startup id to finish startup notification and properly focus the + * window when focus stealing is enabled or %NULL. + * @error : return location for errors or %NULL. ++ * @action : action to invoke on the files + * + * Tells @application to process the given @filenames and launch them appropriately. + * + * Return value: %TRUE on success, %FALSE if @error is set. + **/ + gboolean +-thunar_application_process_filenames (ThunarApplication *application, +- const gchar *working_directory, +- gchar **filenames, +- GdkScreen *screen, +- const gchar *startup_id, +- GError **error) ++thunar_application_process_filenames (ThunarApplication *application, ++ const gchar *working_directory, ++ gchar **filenames, ++ GdkScreen *screen, ++ const gchar *startup_id, ++ GError **error, ++ ThunarApplicationProcessAction action) + { + ThunarFile *file; + GError *derror = NULL; +@@ -1660,7 +1683,10 @@ + + /* start processing files if we have any to launch */ + if (application->files_to_launch != NULL) +- thunar_application_process_files (application); ++ { ++ application->process_file_action = action; ++ thunar_application_process_files (application); ++ } + + /* free the file list */ + g_list_free (file_list); +diff -uNr thunar-1.8.15.orig/thunar/thunar-application.h thunar-1.8.15/thunar/thunar-application.h +--- thunar-1.8.15.orig/thunar/thunar-application.h 2020-05-10 17:54:14.000000000 +0800 ++++ thunar-1.8.15/thunar/thunar-application.h 2021-05-21 16:18:56.761466323 +0800 +@@ -31,6 +31,12 @@ + typedef struct _ThunarApplicationClass ThunarApplicationClass; + typedef struct _ThunarApplication ThunarApplication; + ++typedef enum ++{ ++ THUNAR_APPLICATION_LAUNCH_FILES, ++ THUNAR_APPLICATION_SELECT_FILES ++} ThunarApplicationProcessAction; ++ + #define THUNAR_TYPE_APPLICATION (thunar_application_get_type ()) + #define THUNAR_APPLICATION(obj) (G_TYPE_CHECK_INSTANCE_CAST ((obj), THUNAR_TYPE_APPLICATION, ThunarApplication)) + #define THUNAR_APPLICATION_CLASS(klass) (G_TYPE_CHECK_CLASS_CAST ((klass), THUNAR_TYPE_APPLICATION, ThunarApplicationClass)) +@@ -74,7 +80,8 @@ + gchar **filenames, + GdkScreen *screen, + const gchar *startup_id, +- GError **error); ++ GError **error, ++ ThunarApplicationProcessAction action); + + void thunar_application_rename_file (ThunarApplication *application, + ThunarFile *file, +diff -uNr thunar-1.8.15.orig/thunar/thunar-dbus-service.c thunar-1.8.15/thunar/thunar-dbus-service.c +--- thunar-1.8.15.orig/thunar/thunar-dbus-service.c 2020-05-10 17:54:14.000000000 +0800 ++++ thunar-1.8.15/thunar/thunar-dbus-service.c 2021-05-21 16:19:54.537347954 +0800 +@@ -991,7 +991,7 @@ + { + /* let the application process the filenames */ + application = thunar_application_get (); +- thunar_application_process_filenames (application, working_directory, filenames, screen, startup_id, &error); ++ thunar_application_process_filenames (application, working_directory, filenames, screen, startup_id, &error,THUNAR_APPLICATION_LAUNCH_FILES); + g_object_unref (G_OBJECT (application)); + + /* release the screen */ diff --git a/thunar-1.8.15.tar.bz2 b/thunar-1.8.15.tar.bz2 new file mode 100644 index 0000000..fb82021 Binary files /dev/null and b/thunar-1.8.15.tar.bz2 differ