Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 207331 (CVE-2008-0386) - x11-misc/xdg-utils < 1.0.2-r1: xdg-open/email URL arbitrary command execution (CVE-2008-0386)
Summary: x11-misc/xdg-utils < 1.0.2-r1: xdg-open/email URL arbitrary command execution...
Status: RESOLVED FIXED
Alias: CVE-2008-0386
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High major (vote)
Assignee: Gentoo Security
URL: https://bugzilla.redhat.com/show_bug....
Whiteboard: A2 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2008-01-25 00:42 UTC by Robert Buchholz (RETIRED)
Modified: 2008-01-30 23:14 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Robert Buchholz (RETIRED) gentoo-dev 2008-01-25 00:42:09 UTC
Miroslav Lichvar discovered that xdg-open allows for arbitrary command
execution in case the URL can not be handled by KDE, GNOME, XFCE or
mimeopen.

The vulnerable line:
  browser_with_arg=`echo "$browser" | sed s#%s#"$1"#`
should be rewritten as:
  browser_with_arg=${browser//'%s'/"$1"}

according to upstream.

This issue is under embargo until Monday, Jan 28. Drac and pva, please create an updated ebuild and attach it to this bug if you want pre-stable testing to commit straight to stable on the date of the disclosure.
Do not commit anything to CVS yet.

If you want someone else to take care of this issue, please cc him/her on this bug.
Comment 1 Robert Buchholz (RETIRED) gentoo-dev 2008-01-25 00:43:36 UTC
This affects xdg-email, too.
Comment 2 Robert Buchholz (RETIRED) gentoo-dev 2008-01-25 00:54:45 UTC
That ${} is bash only, in case that is relevant (might need editing the #!)
Comment 4 Peter Volkov (RETIRED) gentoo-dev 2008-01-26 09:31:31 UTC
xdg-utils-1.0.2-r1.ebuild with fix applied commited.
Comment 5 Robert Buchholz (RETIRED) gentoo-dev 2008-01-26 12:16:02 UTC
The "commit straight to stable" part in my original message was meant as in "if you attach the ebuild here, Arch Liaisons can test it and we can commit to stable afterwards".

Moving to [glsa] then.
Comment 6 Robert Buchholz (RETIRED) gentoo-dev 2008-01-29 04:03:29 UTC
public via $url
Comment 7 Pierre-Yves Rofes (RETIRED) gentoo-dev 2008-01-30 23:14:29 UTC
GLSA 200801-21