Hi Jeremy, On Sun, Mar 11, 2018 at 07:52:13AM -0400, Jeremy Bicha wrote: > Control: reopen -1 > Control: tags -1 moreinfo > > On Thu, Dec 21, 2017 at 7:55 AM, Salvatore Bonaccorso <car...@debian.org> > wrote: > > Source: abiword > > Version: 3.0.2-5 > > Severity: normal > > Tags: security upstream > > > > Hi, > > > > the following vulnerability was published for abiword. > > > > CVE-2017-17529: > > | af/util/xp/ut_go_file.cpp in AbiWord 3.0.2-2 does not validate strings > > | before launching the program specified by the BROWSER environment > > | variable, which might allow remote attackers to conduct > > | argument-injection attacks via a crafted URL. > > > > Might be possible to just compile with --with-gnomevfs and not use the > > problematic function. > > The --with-gnomevfs option is only for gtk2, but we build Abiword with gtk3. > > Also, it would be an RC bug to actually depend on gnome-vfs  > > https://lists.debian.org/debian-devel/2018/02/msg00169.html > > Has this issue even been reported to the Abiword developers?
Don't think this was ever forwarded to abiword's upstream. Is abiword upstream still active? Regards, Salvatore