Bug 207331 - x11-misc/xdg-utils < 1.0.2-r1: xdg-open/email URL arbitrary command execution (CVE-2008-0386)
|
Bug#:
207331
(CVE-2008-0386)
|
Product: Gentoo Security
|
Version: unspecified
|
Platform: All
|
|
OS/Version: Linux
|
Status: RESOLVED
|
Severity: major
|
Priority: P2
|
|
Resolution: FIXED
|
Assigned To: security@gentoo.org
|
Reported By: rbu@gentoo.org
|
|
Component: Vulnerabilities
|
|
|
URL:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2008-0386
|
|
Summary: x11-misc/xdg-utils < 1.0.2-r1: xdg-open/email URL arbitrary command execution (CVE-2008-0386)
|
|
Keywords:
|
|
Status Whiteboard: A2 [glsa]
|
|
Opened: 2008-01-25 00:42 0000
|
Miroslav Lichvar discovered that xdg-open allows for arbitrary command
execution in case the URL can not be handled by KDE, GNOME, XFCE or
mimeopen.
The vulnerable line:
browser_with_arg=`echo "$browser" | sed s#%s#"$1"#`
should be rewritten as:
browser_with_arg=${browser//'%s'/"$1"}
according to upstream.
This issue is under embargo until Monday, Jan 28. Drac and pva, please create
an updated ebuild and attach it to this bug if you want pre-stable testing to
commit straight to stable on the date of the disclosure.
Do not commit anything to CVS yet.
If you want someone else to take care of this issue, please cc him/her on this
bug.
This affects xdg-email, too.
That ${} is bash only, in case that is relevant (might need editing the #!)
xdg-utils-1.0.2-r1.ebuild with fix applied commited.
The "commit straight to stable" part in my original message was meant as in "if
you attach the ebuild here, Arch Liaisons can test it and we can commit to
stable afterwards".
Moving to [glsa] then.
