Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 331421 (CVE-2010-2809)

Summary: <www-client/uzbl-2010.08.05: User-assisted execution of arbitrary commands via @SELECTED_URI (CVE-2010-2809)
Product: Gentoo Security Reporter: Alex Alexander (RETIRED) <wired>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: proxy-maint, tharvik
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://www.uzbl.org/news.php?id=29
Whiteboard: B2 [glsa]
Package list:
Runtime testing required: ---

Description Alex Alexander (RETIRED) gentoo-dev 2010-08-06 10:54:41 UTC 
Quoting from $URL:

"The 2010.08.05 release comes with a patched config file.
With shell code in hyperlinks on a page, one of the sample (uzbl-core) resp. default (uzbl-browser) button bindings (binding for mousebutton2) would execute this code."

"Note that just upgrading your uzbl is not enough. If you have an existing config, the change will not be automatically applied.
So be sure you have this change in your config."

More info here: http://www.uzbl.org/bugs/index.php?do=details&task_id=240

I'll commit =www-client/uzbl-2010.08.05 which includes the config fix and ewarns with instructions for current users.
Comment 1 Alex Legler (RETIRED) archtester gentoo-dev Security 2010-08-06 17:09:38 UTC 
Arches, please test and mark stable:
=www-client/uzbl-2010.08.05
Target keywords : "amd64 x86"
Comment 2 Markos Chandras (RETIRED) gentoo-dev 2010-08-06 17:31:42 UTC 
amd64 done
Comment 3 David Abbott (RETIRED) gentoo-dev 2010-08-06 21:25:23 UTC 
All good x86.
Comment 4 Myckel Habets 2010-08-07 06:19:15 UTC 
Builds and runs fine on x86. Please mark stable for x86.
Comment 5 Paweł Hajdan, Jr. (RETIRED) gentoo-dev 2010-08-07 23:17:35 UTC 
x86 stable, thanks David and Myckel
Comment 6 Stefan Behte (RETIRED) gentoo-dev Security 2010-09-03 21:49:37 UTC 
CVE-2010-2809 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2809):
  The default configuration of the <Button2> binding in Uzbl before
  2010.08.05 does not properly use the @SELECTED_URI feature, which
  allows user-assisted remote attackers to execute arbitrary commands
  via a crafted HREF attribute of an A element in an HTML document.
Comment 7 Tom Wijsman (TomWij) (RETIRED) gentoo-dev 2014-06-02 13:29:54 UTC 
(Kéwan: Note: This bug has been handled, no maintainer actions are needed here.)
Comment 8 Sean Amoss (RETIRED) gentoo-dev Security 2014-12-12 00:34:30 UTC 
This issue was resolved and addressed in
 GLSA 201412-08 at http://security.gentoo.org/glsa/glsa-201412-08.xml
by GLSA coordinator Sean Amoss (ackle).