diff -Nru nemo-5.4.3/debian/changelog nemo-5.4.3/debian/changelog --- nemo-5.4.3/debian/changelog 2022-08-14 09:25:44.000000000 -0400 +++ nemo-5.4.3/debian/changelog 2023-01-06 15:53:50.000000000 -0500 @@ -1,3 +1,12 @@ +nemo (5.4.3-2ubuntu0.1) kinetic-security; urgency=medium + + * SECURITY UPDATE: crash via invalid zip file + - debian/patches/CVE-2022-37290.patch: Fix null pointer error and + other potential problems + - CVE-2022-37290 + + -- Joshua Peisach Fri, 06 Jan 2023 15:53:50 -0500 + nemo (5.4.3-2) unstable; urgency=medium * Release to unstable diff -Nru nemo-5.4.3/debian/control nemo-5.4.3/debian/control --- nemo-5.4.3/debian/control 2022-08-14 09:25:44.000000000 -0400 +++ nemo-5.4.3/debian/control 2023-01-06 15:53:50.000000000 -0500 @@ -1,7 +1,8 @@ Source: nemo Section: misc Priority: optional -Maintainer: Debian Cinnamon Team +Maintainer: Ubuntu Developers +XSBC-Original-Maintainer: Debian Cinnamon Team Uploaders: Maximiliano Curia , Margarita Manterola , diff -Nru nemo-5.4.3/debian/patches/CVE-2022-37290.patch nemo-5.4.3/debian/patches/CVE-2022-37290.patch --- nemo-5.4.3/debian/patches/CVE-2022-37290.patch 1969-12-31 19:00:00.000000000 -0500 +++ nemo-5.4.3/debian/patches/CVE-2022-37290.patch 2023-01-06 15:53:50.000000000 -0500 @@ -0,0 +1,72 @@ +Description: CVE-2022-37290: Fix null pointer error and other potential problems + This patch backports commits from 5.6.0 to fix + CVE-2022-37290 code present in Nemo. + . + 1) nemo-file-operations.c: Fix null pointer error. + 2) nemo-file-operations.c: Handle a couple more potential problems + with g_file_get_basename(). +Author: Michael Webster +Origin: upstream, https://github.com/linuxmint/nemo/b9953e6, https://github.com/linuxmint/nemo/33c37a8 +Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/nemo/+bug/1998060 +Forwarded: no +Applied-Upstream: 5.6.0 +Reviewed-by: Joshua Peisach +Last-Update: 2023-01-06 +--- +This patch header follows DEP-3: http://dep.debian.net/deps/dep3/ +Index: nemo-5.4.3/libnemo-private/nemo-file-operations.c +=================================================================== +--- nemo-5.4.3.orig/libnemo-private/nemo-file-operations.c ++++ nemo-5.4.3/libnemo-private/nemo-file-operations.c +@@ -826,15 +826,22 @@ custom_basename_to_string (char *format, + g_object_unref (info); + } + +- if (name == NULL) { +- basename = g_file_get_basename (file); +- if (g_utf8_validate (basename, -1, NULL)) { +- name = basename; +- } else { +- name = g_uri_escape_string (basename, G_URI_RESERVED_CHARS_ALLOWED_IN_PATH, TRUE); +- g_free (basename); +- } +- } ++ if (name == NULL) { ++ basename = g_file_get_basename (file); ++ ++ if (basename != NULL) { ++ if (g_utf8_validate (basename, -1, NULL)) { ++ name = basename; ++ } else { ++ name = g_uri_escape_string (basename, G_URI_RESERVED_CHARS_ALLOWED_IN_PATH, TRUE); ++ g_free (basename); ++ } ++ } ++ } ++ ++ if (name == NULL) { ++ name = g_file_get_parse_name (file); ++ } + + /* Some chars can't be put in the markup we use for the dialogs... */ + if (has_invalid_xml_char (name)) { +@@ -954,6 +961,10 @@ get_best_name (GFile *file, gchar **name + g_free (path); + } else { + out = g_file_get_basename (file); ++ ++ if (out == NULL) { ++ out = g_file_get_parse_name (file); ++ } + } + + *name = out; +@@ -4230,7 +4241,7 @@ is_trusted_desktop_file (GFile *file, + } + + basename = g_file_get_basename (file); +- if (!g_str_has_suffix (basename, ".desktop")) { ++ if (basename && !g_str_has_suffix (basename, ".desktop")) { + g_free (basename); + return FALSE; + } diff -Nru nemo-5.4.3/debian/patches/series nemo-5.4.3/debian/patches/series --- nemo-5.4.3/debian/patches/series 1969-12-31 19:00:00.000000000 -0500 +++ nemo-5.4.3/debian/patches/series 2023-01-06 15:39:14.000000000 -0500 @@ -0,0 +1 @@ +CVE-2022-37290.patch