Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 851201 (CVE-2022-32278) - <xfce-base/exo-{4.16.4,4.17.2}: can execute remote .desktop files
Summary: <xfce-base/exo-{4.16.4,4.17.2}: can execute remote .desktop files
Status: IN_PROGRESS
Alias: CVE-2022-32278
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal major (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B2 [glsa?]
Keywords:
Depends on: 851204
Blocks:
  Show dependency tree
 
Reported: 2022-06-11 11:11 UTC by Michał Górny
Modified: 2024-02-19 06:28 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2022-06-11 11:11:07 UTC
From the announcement:

Release notes for 4.16.4
========================
(Security Patch)

- exo-open : Only execute local .desktop files
Comment 1 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-06-11 20:42:44 UTC
Cool. A non-public CVE that you can only find in commit history.

https://gitlab.xfce.org/xfce/exo/-/commit/c71c04ff5882b2866a0d8506fb460d4ef796de9f
https://gitlab.xfce.org/xfce/exo/-/commit/cc047717c3b5efded2cc7bd419c41a3d1f1e48b6

Thank you for filing!
Comment 2 Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2022-07-05 18:52:36 UTC
Cleanup done.
Comment 3 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-07-05 19:48:47 UTC
Thanks!