Accepting request 557972 from home:alois:branches:games

- Added scummvm-fix_CVE-2017-17528.patch to address (boo#1073248)

OBS-URL: https://build.opensuse.org/request/show/557972
OBS-URL: https://build.opensuse.org/package/show/games/scummvm?expand=0&rev=49

scummvm-fix_CVE-2017-17528.patch

@@ -0,0 +1,64 @@
+From 7aaac1dfba22d2e70b33b2cf856d7885944d4a6e Mon Sep 17 00:00:00 2001
+From: Colin Snover <github.com@zetafleet.com>
+Date: Thu, 14 Dec 2017 13:51:04 -0600
+Subject: [PATCH] POSIX: Fix CVE-2017-17528
+
+---
+ backends/platform/sdl/posix/posix.cpp | 28 ++++++++++++++++++++--------
+ 1 file changed, 20 insertions(+), 8 deletions(-)
+
+diff --git a/backends/platform/sdl/posix/posix.cpp b/backends/platform/sdl/posix/posix.cpp
+index b805a452cf7..60f85efc2f1 100644
+--- a/backends/platform/sdl/posix/posix.cpp
++++ b/backends/platform/sdl/posix/posix.cpp
+@@ -49,6 +49,9 @@
+ #include <sys/wait.h>
+ #include <unistd.h>
+ 
++#include <spawn.h>
++extern char **environ;
++
+ OSystem_POSIX::OSystem_POSIX(Common::String baseConfigName)
+ 	:
+ 	_baseConfigName(baseConfigName) {
+@@ -279,7 +282,7 @@ bool OSystem_POSIX::openUrl(const Common::String &url) {
+ 	// try desktop environment specific tools
+ 	if (launchBrowser("gnome-open", url)) // gnome
+ 		return true;
+-	if (launchBrowser("kfmclient openURL", url)) // kde
++	if (launchBrowser("kfmclient", url)) // kde
+ 		return true;
+ 	if (launchBrowser("exo-open", url)) // xfce
+ 		return true;
+@@ -302,15 +305,24 @@ bool OSystem_POSIX::openUrl(const Common::String &url) {
+ 	return false;
+ }
+ 
+-bool OSystem_POSIX::launchBrowser(const Common::String& client, const Common::String &url) {
+-	// FIXME: system's input must be heavily escaped
+-	// well, when url's specified by user
+-	// it's OK now (urls are hardcoded somewhere in GUI)
+-	Common::String cmd = client + " " + url;
+-	return (system(cmd.c_str()) != -1);
++bool OSystem_POSIX::launchBrowser(const Common::String &client, const Common::String &url) {
++	pid_t pid;
++	const char *argv[] = {
++		client.c_str(),
++		url.c_str(),
++		NULL,
++		NULL
++	};
++	if (client == "kfmclient") {
++		argv[2] = argv[1];
++		argv[1] = "openURL";
++	}
++	if (posix_spawnp(&pid, client.c_str(), NULL, NULL, const_cast<char **>(argv), environ) != 0) {
++		return false;
++	}
++	return (waitpid(pid, NULL, 0) != -1);
+ }
+ 
+-
+ AudioCDManager *OSystem_POSIX::createAudioCDManager() {
+ #ifdef USE_LINUXCD
+ 	return createLinuxAudioCDManager();

scummvm.changes

@@ -1,3 +1,8 @@
+-------------------------------------------------------------------
+Mon Dec 18 09:12:00 UTC 2017 - aloisio@gmx.com
+
+- Added scummvm-fix_CVE-2017-17528.patch to address (boo#1073248)
+
 -------------------------------------------------------------------
 Sun Dec 17 19:25:33 UTC 2017 - alarrosa@suse.com
 

scummvm.spec

@@ -28,6 +28,8 @@ Group:          Amusements/Games/Other
 Url:            http://www.scummvm.org/
 Source:         http://www.scummvm.org/frs/scummvm/%{version}/scummvm-%{version}.tar.xz
 Source99:       %{name}.changes
+# PATCH-FIX-UPSTREAM scummvm-fix_CVE-2017-17528.patch -- backported commit #7aaac1d
+Patch0:         scummvm-fix_CVE-2017-17528.patch
 BuildRequires:  desktop-file-utils
 BuildRequires:  gcc-c++
 BuildRequires:  hicolor-icon-theme
@@ -80,6 +82,7 @@ These engines are in a worse state, but allow to play extra games.
 
 %prep
 %setup -q
+%patch0 -p1
 modified="$(sed -n '/^----/n;s/ - .*$//;p;q' "%{SOURCE99}")"
 DATE="\"$(date -d "${modified}" "+%%b %%e %%Y")\""
 TIME="\"$(date -d "${modified}" "+%%R")\""