Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 331421 (CVE-2010-2809) - <www-client/uzbl-2010.08.05: User-assisted execution of arbitrary commands via @SELECTED_URI (CVE-2010-2809)
Summary: <www-client/uzbl-2010.08.05: User-assisted execution of arbitrary commands vi...
Status: RESOLVED FIXED
Alias: CVE-2010-2809
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Security
URL: http://www.uzbl.org/news.php?id=29
Whiteboard: B2 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2010-08-06 10:54 UTC by Alex Alexander (RETIRED)
Modified: 2014-12-12 00:34 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Alex Alexander (RETIRED) gentoo-dev 2010-08-06 10:54:41 UTC
Quoting from $URL:

"The 2010.08.05 release comes with a patched config file.
With shell code in hyperlinks on a page, one of the sample (uzbl-core) resp. default (uzbl-browser) button bindings (binding for mousebutton2) would execute this code."

"Note that just upgrading your uzbl is not enough. If you have an existing config, the change will not be automatically applied.
So be sure you have this change in your config."

More info here: http://www.uzbl.org/bugs/index.php?do=details&task_id=240

I'll commit =www-client/uzbl-2010.08.05 which includes the config fix and ewarns with instructions for current users.
Comment 1 Alex Legler (RETIRED) archtester gentoo-dev Security 2010-08-06 17:09:38 UTC
Arches, please test and mark stable:
=www-client/uzbl-2010.08.05
Target keywords : "amd64 x86"
Comment 2 Markos Chandras (RETIRED) gentoo-dev 2010-08-06 17:31:42 UTC
amd64 done
Comment 3 David Abbott (RETIRED) gentoo-dev 2010-08-06 21:25:23 UTC
All good x86.
Comment 4 Myckel Habets 2010-08-07 06:19:15 UTC
Builds and runs fine on x86. Please mark stable for x86.
Comment 5 Paweł Hajdan, Jr. (RETIRED) gentoo-dev 2010-08-07 23:17:35 UTC
x86 stable, thanks David and Myckel
Comment 6 Stefan Behte (RETIRED) gentoo-dev Security 2010-09-03 21:49:37 UTC
CVE-2010-2809 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2809):
  The default configuration of the <Button2> binding in Uzbl before
  2010.08.05 does not properly use the @SELECTED_URI feature, which
  allows user-assisted remote attackers to execute arbitrary commands
  via a crafted HREF attribute of an A element in an HTML document.

Comment 7 Tom Wijsman (TomWij) (RETIRED) gentoo-dev 2014-06-02 13:29:54 UTC
(Kéwan: Note: This bug has been handled, no maintainer actions are needed here.)
Comment 8 Sean Amoss (RETIRED) gentoo-dev Security 2014-12-12 00:34:30 UTC
This issue was resolved and addressed in
 GLSA 201412-08 at http://security.gentoo.org/glsa/glsa-201412-08.xml
by GLSA coordinator Sean Amoss (ackle).