subject:"Bug#884923\: abiword\: CVE\-2017\-17529"

Bug#884923: abiword: CVE-2017-17529

2019-01-04 Thread Jeremy Bicha

On Fri, Jan 4, 2019 at 3:31 PM Salvatore Bonaccorso  wrote:
> Did you got a chance to ping upstream on that issue and report it?

No, but you can if you like.

https://gitlab.gnome.org/World/AbiWord is the current source repo, but
you might need to still use bugzilla for reporting issues.

Thanks,
Jeremy Bicha

Bug#884923: abiword: CVE-2017-17529

2019-01-04 Thread Moritz Mühlenhoff

On Sun, May 27, 2018 at 10:54:06PM +0200, Gabriel Corona wrote:
> This seems correct with respect to injection through the URI:
> the URI string cannot be expanded into multiple arguments
> and is not passed to `system()`.

Agreed, this CVE seems like a non issue, the CVE entry at MITRE
also only refers back to the Security Tracker...

Cheers,
Moritz

Bug#884923: abiword: CVE-2017-17529

2019-01-04 Thread Salvatore Bonaccorso

Hi Jeremy,

On Mon, Mar 12, 2018 at 10:07:05PM +0100, Salvatore Bonaccorso wrote:
> Jeremy,
> 
> On Sun, Mar 11, 2018 at 08:45:42AM -0400, Jeremy Bicha wrote:
> > On Sun, Mar 11, 2018 at 8:40 AM, Salvatore Bonaccorso  
> > wrote:
> > > Is abiword upstream still active?
> > 
> > Yes.
> > 
> > https://bugzilla.abisource.com/
> > 
> > Here's a git mirror of their svn repo. The git mirror is sometimes a
> > bit out of date.
> > https://github.com/AbiWord/abiword/commits/trunk
> 
> Thanks, indeed for the pointer.
> 
> Can you forward the issue to upstream?

Did you got a chance to ping upstream on that issue and report it?

Regards,
Salvatore

Bug#884923: abiword: CVE-2017-17529

2018-05-27 Thread Gabriel Corona

Hi,

Are you sure this is vulnerable ? I did not manage to trigger anything
problematic.

The code referenced is (in fallback_open_uri):


gintargc;
gchar **argv = NULL;
char   *cmd_line = g_strconcat (browser, " %1", NULL);

if (g_shell_parse_argv (cmd_line, , , err)) {
  /* check for '%1' in an argument and substitute the url
   * otherwise append it */
  gint i;
  char *tmp;

  for (i = 1 ; i < argc ; i++)
if (NULL != (tmp = strstr (argv[i], "%1"))) {
  *tmp = '\0';
  tmp = g_strconcat (argv[i],
(clean_url != NULL) ? (char const *)clean_url : url,
tmp+2, NULL);
  g_free (argv[i]);
  argv[i] = tmp;
  break;
}

  /* there was actually a %1, drop the one we added */
  if (i != argc-1) {
g_free (argv[argc-1]);
argv[argc-1] = NULL;
  }
  g_spawn_async (NULL, argv, NULL, G_SPAWN_SEARCH_PATH,
NULL, NULL, NULL, err);
  g_strfreev (argv);
}
g_free (cmd_line);


This seems correct with respect to injection through the URI:
the URI string cannot be expanded into multiple arguments
and is not passed to `system()`.

-- 
Gabriel

Bug#884923: abiword: CVE-2017-17529

2018-03-12 Thread Salvatore Bonaccorso

Jeremy,

On Sun, Mar 11, 2018 at 08:45:42AM -0400, Jeremy Bicha wrote:
> On Sun, Mar 11, 2018 at 8:40 AM, Salvatore Bonaccorso  
> wrote:
> > Is abiword upstream still active?
> 
> Yes.
> 
> https://bugzilla.abisource.com/
> 
> Here's a git mirror of their svn repo. The git mirror is sometimes a
> bit out of date.
> https://github.com/AbiWord/abiword/commits/trunk

Thanks, indeed for the pointer.

Can you forward the issue to upstream?

Regards,
Salvatore

Bug#884923: abiword: CVE-2017-17529

2018-03-11 Thread Jeremy Bicha

On Sun, Mar 11, 2018 at 8:40 AM, Salvatore Bonaccorso  wrote:
> Is abiword upstream still active?

Yes.

https://bugzilla.abisource.com/

Here's a git mirror of their svn repo. The git mirror is sometimes a
bit out of date.
https://github.com/AbiWord/abiword/commits/trunk

Thanks,
Jeremy Bicha

Bug#884923: abiword: CVE-2017-17529

2018-03-11 Thread Salvatore Bonaccorso

Hi Jeremy,

On Sun, Mar 11, 2018 at 07:52:13AM -0400, Jeremy Bicha wrote:
> Control: reopen -1
> Control: tags -1 moreinfo
> 
> On Thu, Dec 21, 2017 at 7:55 AM, Salvatore Bonaccorso  
> wrote:
> > Source: abiword
> > Version: 3.0.2-5
> > Severity: normal
> > Tags: security upstream
> >
> > Hi,
> >
> > the following vulnerability was published for abiword.
> >
> > CVE-2017-17529[0]:
> > | af/util/xp/ut_go_file.cpp in AbiWord 3.0.2-2 does not validate strings
> > | before launching the program specified by the BROWSER environment
> > | variable, which might allow remote attackers to conduct
> > | argument-injection attacks via a crafted URL.
> >
> > Might be possible to just compile with --with-gnomevfs and not use the
> > problematic function.
> 
> The --with-gnomevfs option is only for gtk2, but we build Abiword with gtk3.
> 
> Also, it would be an RC bug to actually depend on gnome-vfs [1]
> 
> https://lists.debian.org/debian-devel/2018/02/msg00169.html
> 
> Has this issue even been reported to the Abiword developers?

Don't think this was ever forwarded to abiword's upstream. Is abiword
upstream still active?

Regards,
Salvatore

Bug#884923: abiword: CVE-2017-17529

2018-03-11 Thread Jeremy Bicha

Control: reopen -1
Control: tags -1 moreinfo

On Thu, Dec 21, 2017 at 7:55 AM, Salvatore Bonaccorso  wrote:
> Source: abiword
> Version: 3.0.2-5
> Severity: normal
> Tags: security upstream
>
> Hi,
>
> the following vulnerability was published for abiword.
>
> CVE-2017-17529[0]:
> | af/util/xp/ut_go_file.cpp in AbiWord 3.0.2-2 does not validate strings
> | before launching the program specified by the BROWSER environment
> | variable, which might allow remote attackers to conduct
> | argument-injection attacks via a crafted URL.
>
> Might be possible to just compile with --with-gnomevfs and not use the
> problematic function.

The --with-gnomevfs option is only for gtk2, but we build Abiword with gtk3.

Also, it would be an RC bug to actually depend on gnome-vfs [1]

https://lists.debian.org/debian-devel/2018/02/msg00169.html

Has this issue even been reported to the Abiword developers?

Thanks,
Jeremy Bicha

Processed: Re: Bug#884923: abiword: CVE-2017-17529

2018-03-11 Thread Debian Bug Tracking System

Processing control commands:

> reopen -1
Bug #884923 {Done: Simon Quigley } [src:abiword] abiword: 
CVE-2017-17529
'reopen' may be inappropriate when a bug has been closed with a version;
all fixed versions will be cleared, and you may need to re-add them.
Bug reopened
No longer marked as fixed in versions abiword/3.0.2-6.
> tags -1 moreinfo
Bug #884923 [src:abiword] abiword: CVE-2017-17529
Added tag(s) moreinfo.

-- 
884923: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=884923
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#884923: abiword: CVE-2017-17529

2017-12-21 Thread Salvatore Bonaccorso

Source: abiword
Version: 3.0.2-5
Severity: normal
Tags: security upstream

Hi,

the following vulnerability was published for abiword.

CVE-2017-17529[0]:
| af/util/xp/ut_go_file.cpp in AbiWord 3.0.2-2 does not validate strings
| before launching the program specified by the BROWSER environment
| variable, which might allow remote attackers to conduct
| argument-injection attacks via a crafted URL.

Might be possible to just compile with --with-gnomevfs and not use the
problematic function.

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2017-17529
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17529

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

Bug#884923: abiword: CVE-2017-17529

Bug#884923: abiword: CVE-2017-17529

Bug#884923: abiword: CVE-2017-17529

Bug#884923: abiword: CVE-2017-17529

Bug#884923: abiword: CVE-2017-17529

Bug#884923: abiword: CVE-2017-17529

Bug#884923: abiword: CVE-2017-17529

Bug#884923: abiword: CVE-2017-17529

Processed: Re: Bug#884923: abiword: CVE-2017-17529

Bug#884923: abiword: CVE-2017-17529

10 matches

Site Navigation

Mail list logo

Footer information