Summary: | net-misc/clipgrab-2.0_beta-r1: Remove "Obeyator" for privacy reasons | ||
---|---|---|---|
Product: | Gentoo Linux | Reporter: | Hugo Mildenberger <Hugo.Mildenberger> |
Component: | Current packages | Assignee: | No maintainer - Look at https://wiki.gentoo.org/wiki/Project:Proxy_Maintainers if you want to take care of it <maintainer-needed> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | a3li |
Priority: | High | Keywords: | InVCS |
Version: | unspecified | Flags: | tove:
Bugday+
|
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Package list: | Runtime testing required: | --- |
Description
Hugo Mildenberger
2009-10-18 20:23:17 UTC
Currently, the downloaded textfile looks harmless: GET http://clipgrab.de/or.php?version=2.0-beta2&lang=de HTTP/1.1 Connection: Keep-Alive Host: clipgrab.de HTTP/1.1 200 OK Date: Mon, 19 Oct 2009 11:03:28 GMT Server: Apache/1.3 (Unix) mod_ssl/2.8.28 OpenSSL/0.9.8f AuthPG/1.3 FrontPage/5.0.2.2635 X-Powered-By: PHP/5.2.8 Connection: close Transfer-Encoding: chunked Content-Type: text/html 58 url "http://clipgrab.de/thanks_de.html" \\started "2.0-beta2"\\ set started "2.0-beta2" 0 ping ... I quickly looked into this, but I am not too sure this is actually exploitable: 46 QProcess *app = new QProcess(this); 48 app -> start("xdg-open " + string.split("\"")[1]); It seems QProcess->start starts exactly one command, but not in a shell, so no metacharacters. xdg-open then processes again only one argument, a file/URL to open. So you might execute something, but without any parameters. At any rate, if you have a working exploit or further comments, please feel free contact us privately by email (see the address in the "Assigned To" field). So, unless we get hard evidence this is exploitable, I would not handle this as a security issue, however bluebird might choose to remove the code for privacy's sake. We didn't recieve any PoC, or other conclusive arguments, reassigning to maintainer for a "regular" removal of the code. Fixed in main tree during virtual/ffmpeg move. |