Bug#884923: abiword: CVE-2017-17529
On Fri, Jan 4, 2019 at 3:31 PM Salvatore Bonaccorso wrote: > Did you got a chance to ping upstream on that issue and report it? No, but you can if you like. https://gitlab.gnome.org/World/AbiWord is the current source repo, but you might need to still use bugzilla for reporting issues. Thanks, Jeremy Bicha
Bug#884923: abiword: CVE-2017-17529
On Sun, May 27, 2018 at 10:54:06PM +0200, Gabriel Corona wrote: > This seems correct with respect to injection through the URI: > the URI string cannot be expanded into multiple arguments > and is not passed to `system()`. Agreed, this CVE seems like a non issue, the CVE entry at MITRE also only refers back to the Security Tracker... Cheers, Moritz
Bug#884923: abiword: CVE-2017-17529
Hi Jeremy, On Mon, Mar 12, 2018 at 10:07:05PM +0100, Salvatore Bonaccorso wrote: > Jeremy, > > On Sun, Mar 11, 2018 at 08:45:42AM -0400, Jeremy Bicha wrote: > > On Sun, Mar 11, 2018 at 8:40 AM, Salvatore Bonaccorso > > wrote: > > > Is abiword upstream still active? > > > > Yes. > > > > https://bugzilla.abisource.com/ > > > > Here's a git mirror of their svn repo. The git mirror is sometimes a > > bit out of date. > > https://github.com/AbiWord/abiword/commits/trunk > > Thanks, indeed for the pointer. > > Can you forward the issue to upstream? Did you got a chance to ping upstream on that issue and report it? Regards, Salvatore
Bug#884923: abiword: CVE-2017-17529
Hi, Are you sure this is vulnerable ? I did not manage to trigger anything problematic. The code referenced is (in fallback_open_uri): gintargc; gchar **argv = NULL; char *cmd_line = g_strconcat (browser, " %1", NULL); if (g_shell_parse_argv (cmd_line, &argc, &argv, err)) { /* check for '%1' in an argument and substitute the url * otherwise append it */ gint i; char *tmp; for (i = 1 ; i < argc ; i++) if (NULL != (tmp = strstr (argv[i], "%1"))) { *tmp = '\0'; tmp = g_strconcat (argv[i], (clean_url != NULL) ? (char const *)clean_url : url, tmp+2, NULL); g_free (argv[i]); argv[i] = tmp; break; } /* there was actually a %1, drop the one we added */ if (i != argc-1) { g_free (argv[argc-1]); argv[argc-1] = NULL; } g_spawn_async (NULL, argv, NULL, G_SPAWN_SEARCH_PATH, NULL, NULL, NULL, err); g_strfreev (argv); } g_free (cmd_line); This seems correct with respect to injection through the URI: the URI string cannot be expanded into multiple arguments and is not passed to `system()`. -- Gabriel
Bug#884923: abiword: CVE-2017-17529
Jeremy, On Sun, Mar 11, 2018 at 08:45:42AM -0400, Jeremy Bicha wrote: > On Sun, Mar 11, 2018 at 8:40 AM, Salvatore Bonaccorso > wrote: > > Is abiword upstream still active? > > Yes. > > https://bugzilla.abisource.com/ > > Here's a git mirror of their svn repo. The git mirror is sometimes a > bit out of date. > https://github.com/AbiWord/abiword/commits/trunk Thanks, indeed for the pointer. Can you forward the issue to upstream? Regards, Salvatore
Bug#884923: abiword: CVE-2017-17529
On Sun, Mar 11, 2018 at 8:40 AM, Salvatore Bonaccorso wrote: > Is abiword upstream still active? Yes. https://bugzilla.abisource.com/ Here's a git mirror of their svn repo. The git mirror is sometimes a bit out of date. https://github.com/AbiWord/abiword/commits/trunk Thanks, Jeremy Bicha
Bug#884923: abiword: CVE-2017-17529
Hi Jeremy, On Sun, Mar 11, 2018 at 07:52:13AM -0400, Jeremy Bicha wrote: > Control: reopen -1 > Control: tags -1 moreinfo > > On Thu, Dec 21, 2017 at 7:55 AM, Salvatore Bonaccorso > wrote: > > Source: abiword > > Version: 3.0.2-5 > > Severity: normal > > Tags: security upstream > > > > Hi, > > > > the following vulnerability was published for abiword. > > > > CVE-2017-17529[0]: > > | af/util/xp/ut_go_file.cpp in AbiWord 3.0.2-2 does not validate strings > > | before launching the program specified by the BROWSER environment > > | variable, which might allow remote attackers to conduct > > | argument-injection attacks via a crafted URL. > > > > Might be possible to just compile with --with-gnomevfs and not use the > > problematic function. > > The --with-gnomevfs option is only for gtk2, but we build Abiword with gtk3. > > Also, it would be an RC bug to actually depend on gnome-vfs [1] > > https://lists.debian.org/debian-devel/2018/02/msg00169.html > > Has this issue even been reported to the Abiword developers? Don't think this was ever forwarded to abiword's upstream. Is abiword upstream still active? Regards, Salvatore
Bug#884923: abiword: CVE-2017-17529
Control: reopen -1 Control: tags -1 moreinfo On Thu, Dec 21, 2017 at 7:55 AM, Salvatore Bonaccorso wrote: > Source: abiword > Version: 3.0.2-5 > Severity: normal > Tags: security upstream > > Hi, > > the following vulnerability was published for abiword. > > CVE-2017-17529[0]: > | af/util/xp/ut_go_file.cpp in AbiWord 3.0.2-2 does not validate strings > | before launching the program specified by the BROWSER environment > | variable, which might allow remote attackers to conduct > | argument-injection attacks via a crafted URL. > > Might be possible to just compile with --with-gnomevfs and not use the > problematic function. The --with-gnomevfs option is only for gtk2, but we build Abiword with gtk3. Also, it would be an RC bug to actually depend on gnome-vfs [1] https://lists.debian.org/debian-devel/2018/02/msg00169.html Has this issue even been reported to the Abiword developers? Thanks, Jeremy Bicha
Processed: Re: Bug#884923: abiword: CVE-2017-17529
Processing control commands: > reopen -1 Bug #884923 {Done: Simon Quigley } [src:abiword] abiword: CVE-2017-17529 'reopen' may be inappropriate when a bug has been closed with a version; all fixed versions will be cleared, and you may need to re-add them. Bug reopened No longer marked as fixed in versions abiword/3.0.2-6. > tags -1 moreinfo Bug #884923 [src:abiword] abiword: CVE-2017-17529 Added tag(s) moreinfo. -- 884923: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=884923 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#884923: abiword: CVE-2017-17529
Source: abiword Version: 3.0.2-5 Severity: normal Tags: security upstream Hi, the following vulnerability was published for abiword. CVE-2017-17529[0]: | af/util/xp/ut_go_file.cpp in AbiWord 3.0.2-2 does not validate strings | before launching the program specified by the BROWSER environment | variable, which might allow remote attackers to conduct | argument-injection attacks via a crafted URL. Might be possible to just compile with --with-gnomevfs and not use the problematic function. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2017-17529 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17529 Please adjust the affected versions in the BTS as needed. Regards, Salvatore