Summary: | <x11-misc/xdg-utils-1.1.1: Command injection from `xdg-open` args (CVE-2014-9622) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | john.houwer |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | major | CC: | ainsaar, freedesktop-bugs, john.houwer, kensington, mrueg |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
See Also: | http://bugs.freedesktop.org/show_bug.cgi?id=66670 | ||
Whiteboard: | A2 [glsa] | ||
Package list: | Runtime testing required: | --- | |
Bug Depends on: | 558676 | ||
Bug Blocks: |
Description
john.houwer
2013-06-10 16:31:37 UTC
The reported tested against upstream git and couldn't reproduce there. I cannot reproduce the problem here with xdg-utils-1.1.0_rc1_p20120916 Possibly it's dependent on your shell. Are you using bash-4.2 as your /bin/sh, or something else? Bash: 4.2_p45 /bin/sh -> bash This triggers the problem: DE="generic" XDG_CURRENT_DESKTOP="" xdg-open 'http://127.0.0.1/$(xterm)' START /usr/bin/chromium-browser "http://127.0.0.1/$(xterm)" /usr/bin/xdg-open: line 558: xterm: command not found i.e. only when detectDE() does not find a supported desktop environment and xdg-open uses the open_generic() function. I can confirm this as well. Should we request a CVE? Filed upstream. CVE-2014-9622 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-9622): Eval injection vulnerability in xdg-utils 1.1.0 RC1, when no supported desktop environment is identified, allows context-dependent attackers to execute arbitrary code via the URL argument to xdg-open. rc1 has been removed from the tree, upstream bug is fixed. @freedesktop, anything left to do? Ping @freedesktop? Anything else needs to be done from your side? Current stable still appears to be affected. I am going to CC arch teams in bug #558676 to take care of this. This issue was resolved and addressed in GLSA 201701-09 at https://security.gentoo.org/glsa/201701-09 by GLSA coordinator Thomas Deutschmann (whissi). |