File xdg-desktop-portal-CVE-2024-32462.patch of Package xdg-desktop-portal.39603

Author: Georges Basile Stavracas Neto <georges.stavracas@gmail.com>
Date:   Wed Apr 17 09:30:09 2024 -0300

    background: Improve validation of commandline option

    Check that the first commandline item doesn't start with whitespaces or
    a hyphen.

    Also sneakily plug a memory leak, g_variant_get_strv() is transfer-
    container. Switch to g_autofree on the variable.

    Mitigates: CVE-2024-32462

diff -Nura xdg-desktop-portal-1.10.1/src/background.c xdg-desktop-portal-1.10.1_new/src/background.c
--- xdg-desktop-portal-1.10.1/src/background.c	2020-03-13 20:38:51.000000000 +0800
+++ xdg-desktop-portal-1.10.1_new/src/background.c	2024-05-27 12:13:44.569031197 +0800
@@ -358,7 +358,7 @@
                       GError **error)
 {
   gsize length;
-  const char **strv = g_variant_get_strv (value, &length);
+  g_autofree const char **strv = g_variant_get_strv (value, &length);
 
   if (strv[0] == NULL)
     {
@@ -374,6 +374,13 @@
       return FALSE;
     }
 
+  if (*strv[0] == ' ' || *strv[0] == '-')
+    {
+      g_set_error (error, XDG_DESKTOP_PORTAL_ERROR, XDG_DESKTOP_PORTAL_ERROR_INVALID_ARGUMENT,
+                   "First commandline item can't start with whitespace nor hyphens");
+      return FALSE;
+    }
+  
   if (length > 100)
     {
       g_set_error (error, XDG_DESKTOP_PORTAL_ERROR, XDG_DESKTOP_PORTAL_ERROR_INVALID_ARGUMENT,