Bug 28086

Summary: xdg-utils regression caused by CVE-2020-27748 fix
Product: Mageia Reporter: David Walser <luigiwalser>
Component: RPM PackagesAssignee: All Packagers <pkg-bugs>
Status: NEW --- QA Contact:
Severity: normal    
Priority: Normal CC: jani.valimaa
Version: 8   
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Source RPM: xdg-utils-1.1.3-5.mga8.src.rpm CVE:
Status comment:

Description David Walser 2021-01-13 19:14:10 CET 
Ubuntu has issued an advisory on January 12:
https://ubuntu.com/security/notices/USN-4649-2

Mageia 7 is also affected.
David Walser 2021-01-13 19:16:35 CET

Whiteboard: (none) => MGA7TOO

Comment 1 Lewis Smith 2021-01-14 14:15:44 CET 
A parentless package, so assigning this bug globally.
CC'ing wally as having done another recent security update to it.

CC: (none) => jani.valimaa
Assignee: bugsquad => pkg-bugs

Comment 2 David Walser 2021-07-03 21:21:47 CEST 
Ping packagers.

Whiteboard: MGA7TOO => MGA8TOO

Comment 3 David Walser 2021-07-06 16:58:42 CEST 
I reverted the patch in Cauldron as Ubuntu did, and added the latest upstream patches, the latest of which is a fix for Plasma 5.19, so we should do this same update for Mageia 8:
https://cgit.freedesktop.org/xdg/xdg-utils/log/

I'll let Jani review this before we do anything for Mageia 8.

Whiteboard: MGA8TOO => (none)
Version: Cauldron => 8

Comment 4 David Walser 2021-07-07 04:41:10 CEST 
One thing I'm confused about too is it appears the reverted patch is still in Ubuntu 21.04.  Reading the launchpad bug it sounds like perhaps applications affected by the regression adapted to it?  The CVE remains unsolved upstream though.
Comment 5 David Walser 2021-07-07 23:44:37 CEST 
I've re-added the CVE patch in Cauldron for now, so I guess we'll have to see if anything breaks.  I noticed Discord links don't open in Mageia 8 (worked in Mageia 7) so I'm wondering if xdg-open is broken and needs that fix I mentioned for newer Plasma.