Hi, On Sat, Aug 31, 2019 at 03:09:59AM +0200, J. Scheurich wrote: > Hi, > > https://www.cvedetails.com/cve/CVE-2017-17518/ > > | swt/motif/browser.c in White_dune (aka whitedune) 0.30.10 does not > validate strings before launching the program specified > | by the BROWSER environment variable, which might allow remote > attackers to conduct argument-injection attacks via a > | crafted URL. > | Publish Date : 2017-12-14 Last Update Date : 2018-01-02
I guess the CVE description was possibly missleading here or leadng to an non-issue in practice itself and relates to https://sources.debian.org/src/whitedune/0.30.10-2.1/src/swt/motif/browser.c/?hl=159#L214 where the strings passed are not validated before, and might thus depending on the set browser allow to conduct argument-injections attacks. In any case we did already mark the CVE as unimportant/practical non-issue security wise on our end. Can you followup with your information to MITRE via https://cveform.mitre.org/ so they might update the CVE entry with additional information? Regards, Salvatore
