Summary: | x11-misc/xdg-utils: Improper handling of mailto URI (CVE-2020-27748) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Sam James <sam> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | IN_PROGRESS --- | ||
Severity: | normal | CC: | freedesktop-bugs |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | https://gitlab.freedesktop.org/xdg/xdg-utils/-/issues/177 | ||
See Also: | https://bugs.gentoo.org/show_bug.cgi?id=882079 | ||
Whiteboard: | A4 [upstream/ebuild] | ||
Package list: | Runtime testing required: | --- |
Description
Sam James
2020-11-26 16:31:40 UTC
Please apply the linked patch. (In reply to Sam James from comment #1) > Please apply the linked patch. https://gitlab.freedesktop.org/Mic92/xdg-utils/-/commit/1f199813e0eb0246f63b54e9e154970e609575af, if you feel it's suitable. Upstream issue seems dead. So this only affects people who call xdg-email and have Thunderbird as their default mail client, and fail to notice that a file got attached to their message. This seems pretty unlikely to actually happen to me. I think we should wait for a change to be merged upstream. Package list is empty or all packages have requested keywords. Package list is empty or all packages have requested keywords. Package list is empty or all packages have requested keywords. Package list is empty or all packages have requested keywords. Package list is empty or all packages have requested keywords. Package list is empty or all packages have requested keywords. Fix never got merged upstream due to upstream being pretty much dead. Tbh it seems pretty unlikely that upstream will ever merge the fix, vulnerable version still remains in tree and it's not too difficult to exploit (if rather unlikely to find vulnerable configurations). Thus I think we should pull the fix from private forks and patch the tree, waiting for upstream any longer doesn't make any sense to me. (In reply to 9ts641j2 from comment #10) > Fix never got merged upstream due to upstream being pretty much dead. Tbh it > seems pretty unlikely that upstream will ever merge the fix, vulnerable > version still remains in tree and it's not too difficult to exploit (if > rather unlikely to find vulnerable configurations). Thus I think we should > pull the fix from private forks and patch the tree, waiting for upstream any > longer doesn't make any sense to me. Can you share patches that other distributions might be applying? (In reply to 9ts641j2 from comment #12) > https://gitlab.freedesktop.org/Mic92/xdg-utils/-/commit/ > 1f199813e0eb0246f63b54e9e154970e609575af so the patch I linked originally? :) If you want us to apply other patches, link them. I didn't have any other patches in mind, however judging from the ebuild I don't think this patch has been applied yet. I could be wrong there, if not I'd be happy to submit a PR for this. |