Bug#972146: /usr/share/applications/mono-runtime-common.desktop: should not handle MIME type by executing arbitrary code
Hi Gabriel, On Sat, Feb 18, 2023 at 12:04:27PM +0100, Gabriel Corona wrote: > Hi! > > > A while has passed, and have now proposed the same change for bullseye > > as well, cf. #1031527. > > Great! > > > There is no CVE assigned, if you feel strong about it, can you try to > > get one allocated by MITRE via the cveform? I think we won't go trough > > the needed workflow to assign a Debian specific CVE id for it. But we > > will see what MITRE will respond on the request. > > I don't believe MITRE will accept such a request and redirect me to Debian > [1]. I requested one directly from MITRE, it is now https://www.cve.org/CVERecord?id=CVE-2023-26314 . Regards, Salvatore
Bug#972146: /usr/share/applications/mono-runtime-common.desktop: should not handle MIME type by executing arbitrary code
On Sat, Feb 18, 2023 at 12:04:27PM +0100, Gabriel Corona wrote: > I believe obtaining a CVE ID would be beneficial so that this issue may be > tracked by downstream projects/distributions. All those distros were notified via your post to oss-security. You can try cveform, if there's no assignment via that channel, that's about it. In the past assigning CVEs for Debian was simple, but with some recent changes it has become a complicated, time-consuming process and now we only do it in select cases. Cheers, Moritz
Bug#972146: /usr/share/applications/mono-runtime-common.desktop: should not handle MIME type by executing arbitrary code
Hi! > A while has passed, and have now proposed the same change for bullseye > as well, cf. #1031527. Great! There is no CVE assigned, if you feel strong about it, can you try to get one allocated by MITRE via the cveform? I think we won't go trough the needed workflow to assign a Debian specific CVE id for it. But we will see what MITRE will respond on the request. I don't believe MITRE will accept such a request and redirect me to Debian [1]. I believe obtaining a CVE ID would be beneficial so that this issue may be tracked by downstream projects/distributions. [1] https://www.cve.org/PartnerInformation/ListofPartners/partner/debian Regards, Gabriel
Bug#972146: /usr/share/applications/mono-runtime-common.desktop: should not handle MIME type by executing arbitrary code
Hi Gabriel, On Thu, Feb 16, 2023 at 11:37:57PM +0100, Gabriel Corona wrote: > Hi, > > Thanks for the patch! Thanks for staying on top of the issue! > > This has been fixed in Debian testing and sid. However, stable is still > affected. I believe it would make sense to port the patch to stable and > allocate a CVE for this. The last upload to unstable as NMU was for me personally to near to the point release before christmas. A while has passed, and have now proposed the same change for bullseye as well, cf. #1031527. Thanks for pinging again on it, much appreciated! So the issue will/should be fixed as well with the upcoming point release. There is no CVE assigned, if you feel strong about it, can you try to get one allocated by MITRE via the cveform? I think we won't go trough the needed workflow to assign a Debian specific CVE id for it. But we will see what MITRE will respond on the request. Regards, Salvatore
Bug#972146: /usr/share/applications/mono-runtime-common.desktop: should not handle MIME type by executing arbitrary code
Hi, Thanks for the patch! This has been fixed in Debian testing and sid. However, stable is still affected. I believe it would make sense to port the patch to stable and allocate a CVE for this. Regards, Gabriel
Bug#972146: /usr/share/applications/mono-runtime-common.desktop: should not handle MIME type by executing arbitrary code
As a workaround, you should be able to disable this feature (and have the fix persist after a package update) with something like: mkdir -p /usr/local/share/applications cp /usr/share/applications/mono-runtime-*.desktop /usr/local/share/applications sed -i 's/^Exec=.*/Exec=false/' /usr/local/share/applications/mono-runtime-*.desktop Regards, Gabriel
Bug#972146: /usr/share/applications/mono-runtime-common.desktop: should not handle MIME type by executing arbitrary code
Hi, Any help needed for this? Regards, Gabriel
Bug#972146: /usr/share/applications/mono-runtime-common.desktop: should not handle MIME type by executing arbitrary code
Hi Monio Maintainers, On Tue, May 04, 2021 at 10:30:57PM +0200, Gabriel Corona wrote: > Hi, > > Any update on this? This is actually very dangerous. > > $ xdg-open hello.exe > Hello World! > $ cp hello.exe hello.ΡDF # <- actually not a P but a uppercase rho > $ xdg-open hello.PDF > Hello World! Friendly ping on this issue. This issue was ingored for bullseye release, at least during the freeze. Any suggestion for it's further handling? Regards, Salvatore
