[SRU] Thunar CVE-2021-32563 (focal, groovy, hirsute)

[bluesabre]

Describe the bug(s) being fixed
CVE-2021-32563 affects Thunar versions found in supported releases. Related patches:

• 1.8.x for focal, groovy: 1b85b96ebf7cb9bf6a3ddf1acee7643643fdf92d
• 4.16.x for hirsute: 9165a61f95e43cc0b5abf9b98eee2818a0191e0b, 3b54d9d7dbd7fd16235e2141c43a7f18718f5664

GitLab issues #121, #575

To Reproduce
Steps to reproduce the behavior:

1. Execute thunar ~/Pictures/icon.png
2. The default application loads the file.

Expected behavior
Thunar should instead open, selecting the file.

Desktop (please complete the following information):

• Xubuntu Releases: focal, groovy, hirsute
• Package: thunar
• Versions: 1.8.14-0ubuntu1, 1.8.15-1, 4.16.6-0ubuntu1

Additional context
Scripts and applications depending on the previous functionality will be adversely affected. Since this functionality is specific to Thunar, this change should have minimal regression impact.

Verification

• I have reviewed the requirements for Stable Release Updates

[bluesabre]

Experimental build for focal at https://launchpad.net/~bluesabre/+archive/ubuntu/experimental

thunar_1.8.14-0ubuntu1_thunar_1.8.14-0ubuntu2.txt

[bluesabre]

Experimental build for groovy at https://launchpad.net/~bluesabre/+archive/ubuntu/experimental

thunar_1.8.15-1_1.8.15-1ubuntu1.txt

[bluesabre]

Experimental build for hirsute at https://launchpad.net/~bluesabre/+archive/ubuntu/experimental

thunar_4.16.6-0ubuntu1_4.16.6-0ubuntu2.txt

[bluesabre]

@philipzae I've got some early experimental builds for focal, groovy, and hirsute above (some are still building). Can you or the testers give them a quick test before I submit formal SRUs on Launchpad?

[philipzae]

@bluesabre on it.

[JT252]

I was able to reproduce the issue with Xubuntu_21.04 with the experimental build.

[bluesabre]

@JT252 Does that mean that the issue is not fixed? I'll have to take another look.

[JT252]

It works as expected. It now opens thunar instead of the image with its default image viewer.

…

On Tue, Jun 8, 2021 at 9:11 PM Sean Davis ***@***.***> wrote: @JT252 <https://github.com/JT252> Does that mean that the issue is not fixed? I'll have to take another look. — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#6 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AQAC37SGH46EJVQMF6JQC4TTR25S3ANCNFSM46JTJXRQ> .

[bluesabre]

@JT252 Thanks for the confirmation.

I've created a public security bug on Launchpad for the CVE.
https://bugs.launchpad.net/ubuntu/+source/thunar/+bug/1931510