diff -Nru thunar-4.16.6/debian/changelog thunar-4.16.6/debian/changelog --- thunar-4.16.6/debian/changelog 2021-03-25 17:33:17.000000000 -0400 +++ thunar-4.16.6/debian/changelog 2021-06-09 21:43:13.000000000 -0400 @@ -1,3 +1,11 @@ +thunar (4.16.6-0ubuntu1.1) hirsute; urgency=medium + + * d/patches/cve-2021-32563.patch: + - Fix CVE-2021-32563, prevent opening a different application + without user confirmation + + -- Sean Davis Wed, 09 Jun 2021 21:43:13 -0400 + thunar (4.16.6-0ubuntu1) devel; urgency=medium * New upstream release. diff -Nru thunar-4.16.6/debian/patches/cve-2021-32563.patch thunar-4.16.6/debian/patches/cve-2021-32563.patch --- thunar-4.16.6/debian/patches/cve-2021-32563.patch 1969-12-31 19:00:00.000000000 -0500 +++ thunar-4.16.6/debian/patches/cve-2021-32563.patch 2021-06-08 07:14:50.000000000 -0400 @@ -0,0 +1,289 @@ +From 9165a61f95e43cc0b5abf9b98eee2818a0191e0b Mon Sep 17 00:00:00 2001 +From: Alexander Schwinn +Date: Sat, 1 May 2021 00:40:44 +0200 +Subject: [PATCH] Dont execute files, passed via command line due to security + risks + +Instead open the containing folder and select the file. + +Fixes #121 +--- + thunar/thunar-application.c | 25 +++++++++++++++++++++++-- + thunar/thunar-window.c | 4 +--- + thunar/thunar-window.h | 2 ++ + 3 files changed, 26 insertions(+), 5 deletions(-) + +diff --git a/thunar/thunar-application.c b/thunar/thunar-application.c +index 953980e6..482653a7 100644 +--- a/thunar/thunar-application.c ++++ b/thunar/thunar-application.c +@@ -1512,8 +1512,29 @@ thunar_application_process_files_finish (ThunarBrowser *browser, + } + else + { +- /* try to open the file or directory */ +- thunar_file_launch (target_file, screen, startup_id, &error); ++ if (thunar_file_is_directory (file)) ++ { ++ thunar_application_open_window (application, file, screen, startup_id, FALSE); ++ } ++ else ++ { ++ /* Note that for security reasons we do not execute files passed via command line */ ++ /* Lets rather open the containing directory and select the file */ ++ ThunarFile *parent = thunar_file_get_parent (file, NULL); ++ ++ if (G_LIKELY (parent != NULL)) ++ { ++ GList* files = NULL; ++ GtkWidget *window; ++ ++ window = thunar_application_open_window (application, parent, screen, startup_id, FALSE); ++ g_object_unref (parent); ++ ++ files = g_list_append (files, thunar_file_get_file (file)); ++ thunar_window_select_files (THUNAR_WINDOW (window), files); ++ g_list_free (files); ++ } ++ } + + /* remove the file from the list */ + application->files_to_launch = g_list_delete_link (application->files_to_launch, +diff --git a/thunar/thunar-window.c b/thunar/thunar-window.c +index 89b2eb08..91acef1e 100644 +--- a/thunar/thunar-window.c ++++ b/thunar/thunar-window.c +@@ -261,8 +261,6 @@ static void thunar_window_update_go_menu (ThunarWindow + GtkWidget *menu); + static void thunar_window_update_help_menu (ThunarWindow *window, + GtkWidget *menu); +-static void thunar_window_select_files (ThunarWindow *window, +- GList *path_list); + static void thunar_window_binding_create (ThunarWindow *window, + gpointer src_object, + const gchar *src_prop, +@@ -944,7 +942,7 @@ thunar_window_screen_changed (GtkWidget *widget, + * + * Visually selects the files, given by the list + **/ +-static void ++void + thunar_window_select_files (ThunarWindow *window, + GList *files_to_selected) + { +diff --git a/thunar/thunar-window.h b/thunar/thunar-window.h +index 9d089d30..e155a5a4 100644 +--- a/thunar/thunar-window.h ++++ b/thunar/thunar-window.h +@@ -130,6 +130,8 @@ void thunar_window_redirect_menu_tooltips_to_statusbar (Thu + GtkMenu *menu); + const XfceGtkActionEntry* thunar_window_get_action_entry (ThunarWindow *window, + ThunarWindowAction action); ++ void thunar_window_select_files (ThunarWindow *window, ++ GList *path_list); + G_END_DECLS; + + #endif /* !__THUNAR_WINDOW_H__ */ +-- +GitLab + +From 3b54d9d7dbd7fd16235e2141c43a7f18718f5664 Mon Sep 17 00:00:00 2001 +From: Alexander Schwinn +Date: Fri, 7 May 2021 15:21:27 +0200 +Subject: [PATCH] Regression: Activating Desktop Icon does not Use Default + Application (Issue #575) + +- Introduced by 9165a61f (Dont execute files, passed via command line +due to security risks) +- Now via DBus files are executed, and via CLI, files are just selected + +Fixes #575 +--- + thunar/thunar-application.c | 68 +++++++++++++++++++++--------------- + thunar/thunar-application.h | 9 ++++- + thunar/thunar-dbus-service.c | 2 +- + 3 files changed, 49 insertions(+), 30 deletions(-) + +diff --git a/thunar/thunar-application.c b/thunar/thunar-application.c +index 482653a7..93d3c6cb 100644 +--- a/thunar/thunar-application.c ++++ b/thunar/thunar-application.c +@@ -182,37 +182,38 @@ struct _ThunarApplicationClass + + struct _ThunarApplication + { +- GtkApplication __parent__; ++ GtkApplication __parent__; + +- ThunarSessionClient *session_client; ++ ThunarSessionClient *session_client; + +- ThunarPreferences *preferences; +- GtkWidget *progress_dialog; ++ ThunarPreferences *preferences; ++ GtkWidget *progress_dialog; + +- ThunarThumbnailCache *thumbnail_cache; +- ThunarThumbnailer *thumbnailer; ++ ThunarThumbnailCache *thumbnail_cache; ++ ThunarThumbnailer *thumbnailer; + +- ThunarDBusService *dbus_service; ++ ThunarDBusService *dbus_service; + +- gboolean daemon; ++ gboolean daemon; + +- guint accel_map_save_id; +- GtkAccelMap *accel_map; ++ guint accel_map_save_id; ++ GtkAccelMap *accel_map; + +- guint show_dialogs_timer_id; ++ guint show_dialogs_timer_id; + + #ifdef HAVE_GUDEV +- GUdevClient *udev_client; ++ GUdevClient *udev_client; + +- GSList *volman_udis; +- guint volman_idle_id; +- guint volman_watch_id; ++ GSList *volman_udis; ++ guint volman_idle_id; ++ guint volman_watch_id; + #endif + +- GList *files_to_launch; ++ GList *files_to_launch; ++ ThunarApplicationProcessAction process_file_action; + +- guint dbus_owner_id_xfce; +- guint dbus_owner_id_fdo; ++ guint dbus_owner_id_xfce; ++ guint dbus_owner_id_fdo; + }; + + +@@ -279,6 +280,7 @@ thunar_application_init (ThunarApplication *application) + * in the primary instance anyways */ + + application->files_to_launch = NULL; ++ application->process_file_action = THUNAR_APPLICATION_SELECT_FILES; + application->progress_dialog = NULL; + application->preferences = NULL; + +@@ -531,7 +533,7 @@ thunar_application_command_line (GApplication *gapp, + } + else if (filenames != NULL) + { +- if (!thunar_application_process_filenames (application, cwd, filenames, NULL, NULL, &error)) ++ if (!thunar_application_process_filenames (application, cwd, filenames, NULL, NULL, &error, THUNAR_APPLICATION_SELECT_FILES)) + { + /* we failed to process the filenames or the bulk rename failed */ + g_application_command_line_printerr (command_line, "Thunar: %s\n", error->message); +@@ -539,7 +541,7 @@ thunar_application_command_line (GApplication *gapp, + } + else if (!daemon) + { +- if (!thunar_application_process_filenames (application, cwd, cwd_list, NULL, NULL, &error)) ++ if (!thunar_application_process_filenames (application, cwd, cwd_list, NULL, NULL, &error, THUNAR_APPLICATION_SELECT_FILES)) + { + /* we failed to process the filenames or the bulk rename failed */ + g_application_command_line_printerr (command_line, "Thunar: %s\n", error->message); +@@ -1512,7 +1514,12 @@ thunar_application_process_files_finish (ThunarBrowser *browser, + } + else + { +- if (thunar_file_is_directory (file)) ++ if (application->process_file_action == THUNAR_APPLICATION_LAUNCH_FILES) ++ { ++ /* try to launch the file / open the directory */ ++ thunar_file_launch (target_file, screen, startup_id, &error); ++ } ++ else if (thunar_file_is_directory (file)) + { + thunar_application_open_window (application, file, screen, startup_id, FALSE); + } +@@ -1603,18 +1610,20 @@ thunar_application_process_files (ThunarApplication *application) + * @startup_id : startup id to finish startup notification and properly focus the + * window when focus stealing is enabled or %NULL. + * @error : return location for errors or %NULL. ++ * @action : action to invoke on the files + * + * Tells @application to process the given @filenames and launch them appropriately. + * + * Return value: %TRUE on success, %FALSE if @error is set. + **/ + gboolean +-thunar_application_process_filenames (ThunarApplication *application, +- const gchar *working_directory, +- gchar **filenames, +- GdkScreen *screen, +- const gchar *startup_id, +- GError **error) ++thunar_application_process_filenames (ThunarApplication *application, ++ const gchar *working_directory, ++ gchar **filenames, ++ GdkScreen *screen, ++ const gchar *startup_id, ++ GError **error, ++ ThunarApplicationProcessAction action) + { + ThunarFile *file; + GError *derror = NULL; +@@ -1686,7 +1695,10 @@ thunar_application_process_filenames (ThunarApplication *application, + + /* start processing files if we have any to launch */ + if (application->files_to_launch != NULL) +- thunar_application_process_files (application); ++ { ++ application->process_file_action = action; ++ thunar_application_process_files (application); ++ } + + /* free the file list */ + g_list_free (file_list); +diff --git a/thunar/thunar-application.h b/thunar/thunar-application.h +index 547cb701..8c180e8c 100644 +--- a/thunar/thunar-application.h ++++ b/thunar/thunar-application.h +@@ -31,6 +31,12 @@ G_BEGIN_DECLS; + typedef struct _ThunarApplicationClass ThunarApplicationClass; + typedef struct _ThunarApplication ThunarApplication; + ++typedef enum ++{ ++ THUNAR_APPLICATION_LAUNCH_FILES, ++ THUNAR_APPLICATION_SELECT_FILES ++} ThunarApplicationProcessAction; ++ + #define THUNAR_TYPE_APPLICATION (thunar_application_get_type ()) + #define THUNAR_APPLICATION(obj) (G_TYPE_CHECK_INSTANCE_CAST ((obj), THUNAR_TYPE_APPLICATION, ThunarApplication)) + #define THUNAR_APPLICATION_CLASS(klass) (G_TYPE_CHECK_CLASS_CAST ((klass), THUNAR_TYPE_APPLICATION, ThunarApplicationClass)) +@@ -74,7 +80,8 @@ gboolean thunar_application_process_filenames (ThunarAppli + gchar **filenames, + GdkScreen *screen, + const gchar *startup_id, +- GError **error); ++ GError **error, ++ ThunarApplicationProcessAction action); + + void thunar_application_rename_file (ThunarApplication *application, + ThunarFile *file, +diff --git a/thunar/thunar-dbus-service.c b/thunar/thunar-dbus-service.c +index 2ac4ff61..b0468487 100644 +--- a/thunar/thunar-dbus-service.c ++++ b/thunar/thunar-dbus-service.c +@@ -991,7 +991,7 @@ thunar_dbus_service_launch_files (ThunarDBusFileManager *object, + { + /* let the application process the filenames */ + application = thunar_application_get (); +- thunar_application_process_filenames (application, working_directory, filenames, screen, startup_id, &error); ++ thunar_application_process_filenames (application, working_directory, filenames, screen, startup_id, &error, THUNAR_APPLICATION_LAUNCH_FILES); + g_object_unref (G_OBJECT (application)); + + /* release the screen */ +-- +GitLab + diff -Nru thunar-4.16.6/debian/patches/series thunar-4.16.6/debian/patches/series --- thunar-4.16.6/debian/patches/series 2021-03-07 04:58:15.000000000 -0500 +++ thunar-4.16.6/debian/patches/series 2021-06-08 07:15:36.000000000 -0400 @@ -1 +1,3 @@ 01_support-non-multiarch-modules.patch +cve-2021-32563.patch +