On Sun, Mar 11, 2018 at 07:52:13AM -0400, Jeremy Bicha wrote:
> Control: reopen -1
> Control: tags -1 moreinfo
> On Thu, Dec 21, 2017 at 7:55 AM, Salvatore Bonaccorso <car...@debian.org>
> > Source: abiword
> > Version: 3.0.2-5
> > Severity: normal
> > Tags: security upstream
> > Hi,
> > the following vulnerability was published for abiword.
> > CVE-2017-17529:
> > | af/util/xp/ut_go_file.cpp in AbiWord 3.0.2-2 does not validate strings
> > | before launching the program specified by the BROWSER environment
> > | variable, which might allow remote attackers to conduct
> > | argument-injection attacks via a crafted URL.
> > Might be possible to just compile with --with-gnomevfs and not use the
> > problematic function.
> The --with-gnomevfs option is only for gtk2, but we build Abiword with gtk3.
> Also, it would be an RC bug to actually depend on gnome-vfs 
> Has this issue even been reported to the Abiword developers?
Don't think this was ever forwarded to abiword's upstream. Is abiword
upstream still active?