207331 CVE-2008-0386 2008-01-25 00:42 0000 x11-misc/xdg-utils < 1.0.2-r1: xdg-open/email URL arbitrary command execution (CVE-2008-0386) 2008-01-30 23:14:29 0000 1 1 1 Unclassified Gentoo Security Vulnerabilities unspecified All Linux RESOLVED FIXED https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2008-0386 A2 [glsa] P2 major --- 1 rbu@gentoo.org security@gentoo.org pva@gentoo.org ssuominen@gentoo.org rbu@gentoo.org 2008-01-25 00:42:09 0000 Miroslav Lichvar discovered that xdg-open allows for arbitrary command execution in case the URL can not be handled by KDE, GNOME, XFCE or mimeopen. The vulnerable line: browser_with_arg=`echo "$browser" | sed s#%s#"$1"#` should be rewritten as: browser_with_arg=${browser//'%s'/"$1"} according to upstream. This issue is under embargo until Monday, Jan 28. Drac and pva, please create an updated ebuild and attach it to this bug if you want pre-stable testing to commit straight to stable on the date of the disclosure. Do not commit anything to CVS yet. If you want someone else to take care of this issue, please cc him/her on this bug. rbu@gentoo.org 2008-01-25 00:43:36 0000 This affects xdg-email, too. rbu@gentoo.org 2008-01-25 00:54:45 0000 That ${} is bash only, in case that is relevant (might need editing the #!) rbu@gentoo.org 2008-01-25 14:25:58 0000 Patches are upstream, so this is semi-public. Please commit patches in the tree. http://webcvs.freedesktop.org/portland/portland/xdg-utils/scripts/xdg-open.in?r1=1.17&r2=1.18&view=patch http://webcvs.freedesktop.org/portland/portland/xdg-utils/scripts/xdg-open?r1=1.32&r2=1.33&view=patch http://webcvs.freedesktop.org/portland/portland/xdg-utils/scripts/xdg-email.in?r1=1.24&r2=1.25&view=patch http://webcvs.freedesktop.org/portland/portland/xdg-utils/scripts/xdg-email?r1=1.36&r2=1.37&view=patch pva@gentoo.org 2008-01-26 09:31:31 0000 xdg-utils-1.0.2-r1.ebuild with fix applied commited. rbu@gentoo.org 2008-01-26 12:16:02 0000 The "commit straight to stable" part in my original message was meant as in "if you attach the ebuild here, Arch Liaisons can test it and we can commit to stable afterwards". Moving to [glsa] then. rbu@gentoo.org 2008-01-29 04:03:29 0000 public via $url py@gentoo.org 2008-01-30 23:14:29 0000 GLSA 200801-21