Bug#463471: CVE-2008-0386 arbitrary code execution in xdg-utils via crafted path name
Nico Golde wrote: >> The code in question is not present in the Debian package, because I have >> patched it to use run-mailcap or sensible-browser instead. > [...] > Thanks, that looks secure to me. I missed the patch when > looking at the package because its name does not imply any > security relevant changes. No, because it wasn't meant to be. It was merely a fortunate side effect :-) > So thanks, I marked this as > not-affected in our security tracker and thus closing this > bug. Thanks. I also noticed from the Bugzilla report that the same problem exists in xdg-email. However, fortunately, I had also patched that script to use sensible-browser instead :-) -- Pelle -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Bug#463471: CVE-2008-0386 arbitrary code execution in xdg-utils via crafted path name
Hi, Nico Golde wrote: > Source: xdg-utils > Severity: grave > Tags: security patch > > Hi, > the following CVE (Common Vulnerabilities & Exposures) id was > published for xdg-utils. The code in question is not present in the Debian package, because I have patched it to use run-mailcap or sensible-browser instead. The code: > | browser_with_arg=`echo "$browser" | sed s#%s#"$1"#` > | > | if [ x"$browser_with_arg" = x"$browser" ]; then "$browser" "$1"; > | else $browser_with_arg; > | fi has been replaced by the patch debian/patches/xdg-open-generic with: if which run-mailcap >/dev/null && (echo "$1" | grep -q '^file://' || ! echo "$1" | egrep -q '^[a-zA-Z+\.\-]+:'); then local file=$(echo "$1" | sed 's%^file://%%') run-mailcap --action=view "$file" else sensible-browser "$1" fi which does not use sed in the insecure way referred to by the CVE. -- Pelle -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Bug#463471: CVE-2008-0386 arbitrary code execution in xdg-utils via crafted path name
Source: xdg-utils Severity: grave Tags: security patch Hi, the following CVE (Common Vulnerabilities & Exposures) id was published for xdg-utils. CVE-2008-0386[0]: | Description of problem: | The generic handler of xdg-open (i.e. when not running in KDE, GNOME or XFCE) | has the following code: | | browser_with_arg=`echo "$browser" | sed s#%s#"$1"#` | | if [ x"$browser_with_arg" = x"$browser" ]; then "$browser" "$1"; | else $browser_with_arg; | fi | | sed interprets any commands in the argument and the result is executed by the | script. | | Version-Release number of selected component (if applicable): | xdg-utils-1.0.2-2.fc8 | | How reproducible: | Always | | Steps to Reproduce: | 1. uninstall perl-File-MimeInfo package (not necessary with xdg-utils-1.0.2-3) | 2. start plain X session | 3. xdg-open 'http://foo.org/bar#;g;sx$xtouch:foox' | | Actual results: | File foo created. | | Expected results: | The page opened in a web browser. The CVE id for this is still on status RESERVED, it will be released in the next days. You can find patches for the described issues on: http://webcvs.freedesktop.org/portland/portland/xdg-utils/scripts/xdg-email?r1=1.36&r2=1.37&view=patch http://webcvs.freedesktop.org/portland/portland/xdg-utils/scripts/xdg-email.in?r1=1.24&r2=1.25&view=patch http://webcvs.freedesktop.org/portland/portland/xdg-utils/scripts/xdg-open?r1=1.32&r2=1.33&view=patch http://webcvs.freedesktop.org/portland/portland/xdg-utils/scripts/xdg-open.in?r1=1.17&r2=1.18&view=patch If you fix this vulnerability please also include the CVE id in your changelog entry. For further information: [0] https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2008-0386 Kind regards Nico -- Nico Golde - http://www.ngolde.de - [EMAIL PROTECTED] - GPG: 0x73647CFF For security reasons, all text in this mail is double-rot13 encrypted. pgpXcThLslSQ4.pgp Description: PGP signature