Fix CVE-2025-49466 (fedora#2370376)

2025-06-05 09:15:40 +02:00 · 2025-06-05 09:15:40 +02:00 · eadf8f930e
commit eadf8f930e
parent d71010e4db
3 changed files with 86 additions and 0 deletions
--- a/aerc.spec
+++ b/aerc.spec
@ -29,6 +29,9 @@ Source0:        %{gosource}
 Source1:        %{archivename}-vendor.tar.bz2
 Source2:        go-vendor-tools.toml

+Patch0:         open-only-use-part-basename-for-temp-file.patch
+Patch1:         open-fix-opening-text-html-messages.patch
+
 BuildRequires:  desktop-file-utils
 # wrap and colorize filters are written in C
 BuildRequires:  gcc
--- a/open-fix-opening-text-html-messages.patch
+++ b/open-fix-opening-text-html-messages.patch
@ -0,0 +1,38 @@
+From 2bbe75fe0bc87ab4c1e16c5a18c6200224391629 Mon Sep 17 00:00:00 2001
+From: Nicole Patricia Mazzuca <nicole@streganil.no>
+Date: Fri, 9 May 2025 09:32:21 +0200
+Subject: [PATCH aerc] open: fix opening text/html messages
+
+This fixes a bug introduced in 93bec0de8ed5ab3d6b1f01026fe2ef20fa154329:
+aerc started using `path.Base(<part>)`, which returns `"."` on an empty
+path, but still checked for `""` two lines later.
+
+On macOS, the result is that aerc attempts to open the directory:
+
+```
+open /var/folders/vn/hs0zvdsx3vq6svvry8s1bnym0000gn/T/aerc-4229266673: is a directory
+```
+
+Signed-off-by: Nicole Patricia Mazzuca <nicole@streganil.no>
+Acked-by: Robin Jarry <robin@jarry.cc>
+---
+
+ commands/msgview/open.go | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/commands/msgview/open.go b/commands/msgview/open.go
+index a6e43cb8da5f..7c770d4a90b7 100644
+--- a/commands/msgview/open.go
+++ b/commands/msgview/open.go
+@@ -59,7 +59,7 @@ func (o Open) Execute(args []string) error {
+ 		}
+ 		filename := path.Base(part.FileName())
+ 		var tmpFile *os.File
+-		if filename == "" {
+		if filename == "." {
+ 			extension := ""
+ 			if exts, _ := mime.ExtensionsByType(mimeType); len(exts) > 0 {
+ 				extension = exts[0]
+-- 
+2.49.0
+
--- a/open-only-use-part-basename-for-temp-file.patch
+++ b/open-only-use-part-basename-for-temp-file.patch
@ -0,0 +1,45 @@
+From 93bec0de8ed5ab3d6b1f01026fe2ef20fa154329 Mon Sep 17 00:00:00 2001
+From: Robin Jarry <robin@jarry.cc>
+Date: Wed, 9 Apr 2025 10:49:24 +0200
+Subject: [PATCH aerc] open: only use part basename for temp file
+
+When an attachment part has a name such as "/tmp/55208186_AllDocs.pdf",
+aerc creates a temp folder and tries to store the file by blindly
+concatenating the path as follows:
+
+	/tmp/aerc-3444057757/tmp/55208186_AllDocs.pdf
+
+And when writing to this path, it gets a "No such file or directory"
+error because the intermediate "tmp" subfolder isn't created.
+
+Reported-by: Erik Colson <eco@ecocode.net>
+Signed-off-by: Robin Jarry <robin@jarry.cc>
+---
+
+ commands/msgview/open.go | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/commands/msgview/open.go b/commands/msgview/open.go
+index 4293b7e4892c..a6e43cb8da5f 100644
+--- a/commands/msgview/open.go
+++ b/commands/msgview/open.go
+@@ -5,6 +5,7 @@ import (
+ 	"io"
+ 	"mime"
+ 	"os"
+	"path"
+ 	"path/filepath"
+ 
+ 	"git.sr.ht/~rjarry/aerc/app"
+@@ -56,7 +57,7 @@ func (o Open) Execute(args []string) error {
+ 			app.PushError(err.Error())
+ 			return
+ 		}
+-		filename := part.FileName()
+		filename := path.Base(part.FileName())
+ 		var tmpFile *os.File
+ 		if filename == "" {
+ 			extension := ""
+-- 
+2.49.0
+