Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 472888 (CVE-2014-9622)

Summary: <x11-misc/xdg-utils-1.1.1: Command injection from `xdg-open` args (CVE-2014-9622)
Product: Gentoo Security Reporter: john.houwer
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Severity: major CC: ainsaar, freedesktop-bugs, john.houwer, kensington, mrueg
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
See Also:
Whiteboard: A2 [glsa]
Package list:
Runtime testing required: ---
Bug Depends on: 558676    
Bug Blocks:    

Description john.houwer 2013-06-10 16:31:37 UTC

xdg-open '$(xterm)'
is run, the Script does no escaping and a xterm is started.

If you run the script with -x you see the problem.
+ eval /usr/bin/firefox '"$(xterm)"'
/usr/bin/firefox "$(xterm)"

Injection of arbitrary commands is possible. Some applications don't validate the input to xdg-open.

I was able to produce this behaviour with:

However I was unable to reproduce it with the source (git).

Yesterday I posted this bug to the similar bug:
But I think this here is the better choice.

If you need more info, please contact me.

Thank you.

Regards John
Comment 1 Michael Palimaka (kensington) gentoo-dev 2013-06-22 15:47:56 UTC
The reported tested against upstream git and couldn't reproduce there.
Comment 2 Alexandre Rostovtsev (RETIRED) gentoo-dev 2013-06-23 21:13:08 UTC
I cannot reproduce the problem here with xdg-utils-1.1.0_rc1_p20120916

Possibly it's dependent on your shell. Are you using bash-4.2 as your /bin/sh, or something else?
Comment 3 john.houwer 2013-06-24 19:14:15 UTC
Bash: 4.2_p45
/bin/sh -> bash
Comment 4 Stefan Knoblich 2013-07-02 10:57:46 UTC
This triggers the problem:

DE="generic" XDG_CURRENT_DESKTOP="" xdg-open '$(xterm)'
START /usr/bin/chromium-browser "$(xterm)"
/usr/bin/xdg-open: line 558: xterm: command not found

i.e. only when detectDE() does not find a supported desktop environment and xdg-open uses the open_generic() function.
Comment 5 Chris Reffett (RETIRED) gentoo-dev Security 2013-07-04 00:21:12 UTC
I can confirm this as well. Should we request a CVE?
Comment 6 Chris Reffett (RETIRED) gentoo-dev Security 2013-07-07 15:25:42 UTC
Filed upstream.
Comment 7 GLSAMaker/CVETool Bot gentoo-dev 2015-06-17 17:22:29 UTC
CVE-2014-9622 (
  Eval injection vulnerability in xdg-utils 1.1.0 RC1, when no supported
  desktop environment is identified, allows context-dependent attackers to
  execute arbitrary code via the URL argument to xdg-open.
Comment 8 Manuel RĂ¼ger (RETIRED) gentoo-dev 2015-07-07 20:37:44 UTC
rc1 has been removed from the tree, upstream bug is fixed. 
@freedesktop, anything left to do?
Comment 9 Yury German Gentoo Infrastructure gentoo-dev 2015-11-22 15:13:13 UTC
Ping @freedesktop? Anything else needs to be done from your side?
Comment 10 Michael Palimaka (kensington) gentoo-dev 2015-11-22 16:13:34 UTC
Current stable still appears to be affected. I am going to CC arch teams in bug #558676 to take care of this.
Comment 11 GLSAMaker/CVETool Bot gentoo-dev 2017-01-01 16:38:14 UTC
This issue was resolved and addressed in
 GLSA 201701-09 at
by GLSA coordinator Thomas Deutschmann (whissi).