Bug#884923: abiword: CVE-2017-17529

2019-01-04 Thread Jeremy Bicha
On Fri, Jan 4, 2019 at 3:31 PM Salvatore Bonaccorso wrote: > Did you got a chance to ping upstream on that issue and report it? No, but you can if you like. https://gitlab.gnome.org/World/AbiWord is the current source repo, but you might need to still use bugzilla for reporting issues. Thanks,

Bug#884923: abiword: CVE-2017-17529

2019-01-04 Thread Moritz Mühlenhoff
On Sun, May 27, 2018 at 10:54:06PM +0200, Gabriel Corona wrote: > This seems correct with respect to injection through the URI: > the URI string cannot be expanded into multiple arguments > and is not passed to `system()`. Agreed, this CVE seems like a non issue, the CVE entry at MITRE also only

Bug#884923: abiword: CVE-2017-17529

2019-01-04 Thread Salvatore Bonaccorso
Hi Jeremy, On Mon, Mar 12, 2018 at 10:07:05PM +0100, Salvatore Bonaccorso wrote: > Jeremy, > > On Sun, Mar 11, 2018 at 08:45:42AM -0400, Jeremy Bicha wrote: > > On Sun, Mar 11, 2018 at 8:40 AM, Salvatore Bonaccorso > > wrote: > > > Is abiword upstream still active? > > > > Yes. > > > >

Bug#884923: abiword: CVE-2017-17529

2018-05-27 Thread Gabriel Corona
Hi, Are you sure this is vulnerable ? I did not manage to trigger anything problematic. The code referenced is (in fallback_open_uri): gintargc; gchar **argv = NULL; char *cmd_line = g_strconcat (browser, " %1", NULL); if (g_shell_parse_argv (cmd_line, , , err)) { /* check for '%1' in

Bug#884923: abiword: CVE-2017-17529

2018-03-12 Thread Salvatore Bonaccorso
Jeremy, On Sun, Mar 11, 2018 at 08:45:42AM -0400, Jeremy Bicha wrote: > On Sun, Mar 11, 2018 at 8:40 AM, Salvatore Bonaccorso > wrote: > > Is abiword upstream still active? > > Yes. > > https://bugzilla.abisource.com/ > > Here's a git mirror of their svn repo. The git

Bug#884923: abiword: CVE-2017-17529

2018-03-11 Thread Jeremy Bicha
On Sun, Mar 11, 2018 at 8:40 AM, Salvatore Bonaccorso wrote: > Is abiword upstream still active? Yes. https://bugzilla.abisource.com/ Here's a git mirror of their svn repo. The git mirror is sometimes a bit out of date. https://github.com/AbiWord/abiword/commits/trunk

Bug#884923: abiword: CVE-2017-17529

2018-03-11 Thread Salvatore Bonaccorso
Hi Jeremy, On Sun, Mar 11, 2018 at 07:52:13AM -0400, Jeremy Bicha wrote: > Control: reopen -1 > Control: tags -1 moreinfo > > On Thu, Dec 21, 2017 at 7:55 AM, Salvatore Bonaccorso > wrote: > > Source: abiword > > Version: 3.0.2-5 > > Severity: normal > > Tags: security

Bug#884923: abiword: CVE-2017-17529

2018-03-11 Thread Jeremy Bicha
Control: reopen -1 Control: tags -1 moreinfo On Thu, Dec 21, 2017 at 7:55 AM, Salvatore Bonaccorso wrote: > Source: abiword > Version: 3.0.2-5 > Severity: normal > Tags: security upstream > > Hi, > > the following vulnerability was published for abiword. > > CVE-2017-17529[0]:

Processed: Re: Bug#884923: abiword: CVE-2017-17529

2018-03-11 Thread Debian Bug Tracking System
Processing control commands: > reopen -1 Bug #884923 {Done: Simon Quigley } [src:abiword] abiword: CVE-2017-17529 'reopen' may be inappropriate when a bug has been closed with a version; all fixed versions will be cleared, and you may need to re-add them. Bug reopened No

Bug#884923: abiword: CVE-2017-17529

2017-12-21 Thread Salvatore Bonaccorso
Source: abiword Version: 3.0.2-5 Severity: normal Tags: security upstream Hi, the following vulnerability was published for abiword. CVE-2017-17529[0]: | af/util/xp/ut_go_file.cpp in AbiWord 3.0.2-2 does not validate strings | before launching the program specified by the BROWSER environment |