Control: reopen -1
Control: tags -1 moreinfo

On Thu, Dec 21, 2017 at 7:55 AM, Salvatore Bonaccorso <car...@debian.org> wrote:
> Source: abiword
> Version: 3.0.2-5
> Severity: normal
> Tags: security upstream
>
> Hi,
>
> the following vulnerability was published for abiword.
>
> CVE-2017-17529[0]:
> | af/util/xp/ut_go_file.cpp in AbiWord 3.0.2-2 does not validate strings
> | before launching the program specified by the BROWSER environment
> | variable, which might allow remote attackers to conduct
> | argument-injection attacks via a crafted URL.
>
> Might be possible to just compile with --with-gnomevfs and not use the
> problematic function.

The --with-gnomevfs option is only for gtk2, but we build Abiword with gtk3.

Also, it would be an RC bug to actually depend on gnome-vfs [1]

https://lists.debian.org/debian-devel/2018/02/msg00169.html

Has this issue even been reported to the Abiword developers?

Thanks,
Jeremy Bicha

Reply via email to