File xdg-desktop-portal-CVE-2024-32462.patch of Package xdg-desktop-portal.34040

Author: Georges Basile Stavracas Neto <georges.stavracas@gmail.com>
Date:   Wed Apr 17 09:30:09 2024 -0300

    background: Improve validation of commandline option
    
    Check that the first commandline item doesn't start with whitespaces or
    a hyphen.
    
    Also sneakily plug a memory leak, g_variant_get_strv() is transfer-
    container. Switch to g_autofree on the variable.
    
    Mitigates: CVE-2024-32462

diff -Nura xdg-desktop-portal-1.16.0/src/background.c xdg-desktop-portal-1.16.0_new/src/background.c
--- xdg-desktop-portal-1.16.0/src/background.c	2022-12-13 06:43:34.000000000 +0800
+++ xdg-desktop-portal-1.16.0_new/src/background.c	2024-05-26 13:57:25.446616089 +0800
@@ -848,7 +848,7 @@
                       GError **error)
 {
   gsize length;
-  const char **strv = g_variant_get_strv (value, &length);
+  g_autofree const char **strv = g_variant_get_strv (value, &length);
 
   if (strv[0] == NULL)
     {
@@ -864,6 +864,13 @@
       return FALSE;
     }
 
+  if (*strv[0] == ' ' || *strv[0] == '-')
+    {
+      g_set_error (error, XDG_DESKTOP_PORTAL_ERROR, XDG_DESKTOP_PORTAL_ERROR_INVALID_ARGUMENT,
+                   "First commandline item can't start with whitespace nor hyphens");
+      return FALSE;
+    }
+
   if (length > 100)
     {
       g_set_error (error, XDG_DESKTOP_PORTAL_ERROR, XDG_DESKTOP_PORTAL_ERROR_INVALID_ARGUMENT,