Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 851201 (CVE-2022-32278)

Summary: <xfce-base/exo-{4.16.4,4.17.2}: can execute remote .desktop files
Product: Gentoo Security Reporter: Michał Górny <mgorny>
Component: VulnerabilitiesAssignee: XFCE Team <xfce>
Status: IN_PROGRESS ---    
Severity: major CC: security
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: B2 [glsa?]
Package list:
Runtime testing required: ---
Bug Depends on: 851204    
Bug Blocks:    

Description Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2022-06-11 11:11:07 UTC
From the announcement:

Release notes for 4.16.4
========================
(Security Patch)

- exo-open : Only execute local .desktop files
Comment 1 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-06-11 20:42:44 UTC
Cool. A non-public CVE that you can only find in commit history.

https://gitlab.xfce.org/xfce/exo/-/commit/c71c04ff5882b2866a0d8506fb460d4ef796de9f
https://gitlab.xfce.org/xfce/exo/-/commit/cc047717c3b5efded2cc7bd419c41a3d1f1e48b6

Thank you for filing!
Comment 2 Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2022-07-05 18:52:36 UTC
Cleanup done.
Comment 3 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-07-05 19:48:47 UTC
Thanks!