Summary: | x11-misc/xdg-utils < 1.0.2-r1: xdg-open/email URL arbitrary command execution (CVE-2008-0386) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Robert Buchholz (RETIRED) <rbu> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | major | CC: | pva, ssuominen |
Priority: | High | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2008-0386 | ||
Whiteboard: | A2 [glsa] | ||
Package list: | Runtime testing required: | --- |
Description
Robert Buchholz (RETIRED)
2008-01-25 00:42:09 UTC
This affects xdg-email, too. That ${} is bash only, in case that is relevant (might need editing the #!) Patches are upstream, so this is semi-public. Please commit patches in the tree. http://webcvs.freedesktop.org/portland/portland/xdg-utils/scripts/xdg-open.in?r1=1.17&r2=1.18&view=patch http://webcvs.freedesktop.org/portland/portland/xdg-utils/scripts/xdg-open?r1=1.32&r2=1.33&view=patch http://webcvs.freedesktop.org/portland/portland/xdg-utils/scripts/xdg-email.in?r1=1.24&r2=1.25&view=patch http://webcvs.freedesktop.org/portland/portland/xdg-utils/scripts/xdg-email?r1=1.36&r2=1.37&view=patch xdg-utils-1.0.2-r1.ebuild with fix applied commited. The "commit straight to stable" part in my original message was meant as in "if you attach the ebuild here, Arch Liaisons can test it and we can commit to stable afterwards". Moving to [glsa] then. public via $url GLSA 200801-21 |