Bug 31237

Summary: xfce4-settings new security issue CVE-2022-45062
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: major    
Priority: Normal CC: andrewsfarm, davidwhodgins, herman.viaene, jani.valimaa, sysadmin-bugs
Version: 8Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA8-64-OK
Source RPM: xfce4-settings-4.16.0-2.mga8.src.rpm CVE:
Status comment:

Description David Walser 2022-12-07 18:12:13 CET 
Debian has issued an advisory on December 6:
https://www.debian.org/security/2022/dsa-5296

The issue is fixed upstream in 4.16.4.
David Walser 2022-12-07 18:12:46 CET

Status comment: (none) => Fixed upstream in 4.16.4

Comment 1 Lewis Smith 2022-12-07 20:51:24 CET 
I see in Cauldron 4.16.3, 4.17.0 & 1.
This is package is with Jani.

Assignee: bugsquad => jani.valimaa

Comment 2 David Walser 2022-12-12 16:56:33 CET 
Fedora has issued an advisory for this on December 10:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/H2VXO6JTWDSNXI34DHFAZIN7PGCR4BLI/

Severity: normal => major

Comment 3 Jani Välimaa 2022-12-17 08:14:25 CET 
Pushed xfce4-settings-4.16.0-2.1.mga8 to core/updates_testing with a patch from upstream. Please test.

RPMS/SRPMS:
xfce4-settings-4.16.0-2.1.mga8

CC: (none) => jani.valimaa
Assignee: jani.valimaa => qa-bugs

Comment 4 Herman Viaene 2022-12-17 12:11:52 CET 
MGA8-64 Xfce on Acer Aspire 5253
No installation issues.
No wiki, no previous updates, so launched xfce4-settings-manager and got warnings on the CLI, but apparently nothing that really matters.
Jumped around on file manager settings, desktop, notifications, keyboard, power manager, pulse audio, session and startup, making a few changes to my own liking, all seems to work OK.

CC: (none) => herman.viaene
Whiteboard: (none) => MGA8-64-OK

David Walser 2022-12-17 16:21:27 CET

Status comment: Fixed upstream in 4.16.4 => (none)

Comment 5 Thomas Andrews 2022-12-17 16:43:16 CET 
Validating.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Comment 6 Dave Hodgins 2022-12-17 17:41:37 CET 
Testing in xfce
Before installing the update
xdg-open 'http://example.org" --private-window"'
opens a http://example.org/ in firefox and opens a private window with no
url.
After installing the update it only opens a normal window with no url.

Testing in plasma with xfce-minimal also installed.
It opens firefox trying to load https://www.xdg-open.com/
Same after the update is installed.

running xdg-open "https://www.mageia.org/en/" does work as expected.

CC: (none) => davidwhodgins

Comment 7 Dave Hodgins 2022-12-17 17:48:17 CET 
Advisory committed to svn

Keywords: (none) => advisory

Comment 8 Mageia Robot 2022-12-17 19:49:33 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2022-0471.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED