Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 184886 - xfce-extra/terminal: URL handling allows remote shell command execution
Summary: xfce-extra/terminal: URL handling allows remote shell command execution
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Security
Whiteboard: B2 [glsa]
Depends on:
Reported: 2007-07-10 18:54 UTC by Lasse Kärkkäinen
Modified: 2007-08-11 22:05 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Lasse Kärkkäinen 2007-07-10 18:54:49 UTC
Clicking "Open Link" on a malicious link may leak information or allow remote shell command execution because Xfce Terminal uses /bin/sh -c with gdk_spawn_on_screen for running the browser, with no proper escaping in the URI. A recommended fix would be to use the execvp(2) series functions with no shell, but the upstream does not want to fix this (I have notified Benny of this issue in Nov 2006).

Example URIs:$(xterm)/ - remote command execution$(ls)&sourceid=b0rk - used for stealing information$HOME - examine environment

The behavior of these may vary depending on the browser chosen. I can verify the current results on two computers with the default setting "Mozilla Firefox" chosen, using xfce-extra/terminal-0.2.6-r1.
Comment 1 Samuli Suominen (RETIRED) gentoo-dev 2007-07-10 19:02:43 UTC
Could you link us to the upstream bug you have opened?
Comment 2 Lasse Kärkkäinen 2007-07-10 19:05:07 UTC
I have not, as I don't have an account on their Bugzilla. I reported it by email.
Comment 3 Pierre-Yves Rofes (RETIRED) gentoo-dev 2007-07-18 12:07:33 UTC
setting status. Xfce, please keep us informed when upstream releases a fix for this.
Comment 4 Samuli Suominen (RETIRED) gentoo-dev 2007-07-21 00:04:27 UTC
(In reply to comment #3)
> setting status. Xfce, please keep us informed when upstream releases a fix for
> this.

Fixed in upstream trunk. Expect a patch tomorrow.
Comment 5 Samuli Suominen (RETIRED) gentoo-dev 2007-07-21 09:03:04 UTC
*terminal-0.2.6_p25931 (21 Jul 2007)

  21 Jul 2007; Samuli Suominen <>
  Snapshot to fix security bug 184886, remote shell command execution.
Comment 6 Pierre-Yves Rofes (RETIRED) gentoo-dev 2007-07-21 09:42:33 UTC
thanks Samuli.
Arches, please test and mark stable xfce-extra/terminal-0.2.6_p25931.
target keywords are: "alpha amd64 arm hppa ia64 mips ppc ppc64 sparc x86 ~x86-fbsd"
Comment 7 Christoph Mende (RETIRED) gentoo-dev 2007-07-21 13:22:22 UTC
amd64 stable
Comment 8 Jeroen Roovers (RETIRED) gentoo-dev 2007-07-21 13:35:15 UTC
Stable for HPPA.
Comment 9 Brian Evans 2007-07-21 14:46:46 UTC
On Alpha:

1. Compiles fine
2. Passes collision test
3. Works nice with no URL exploit

Terminal 0.2.7svn-25931 (Xfce 4.4.1)

Portage (default-linux/alpha/2007.0/desktop, gcc-4.1.2, glibc-2.5-r4, 2.6.21-gentoo-r4 alpha)
System uname: 2.6.21-gentoo-r4 alpha EV56
Gentoo Base System release 1.12.9
Timestamp of tree: Sat, 21 Jul 2007 13:50:01 +0000
ccache version 2.4 [enabled]
dev-lang/python:     2.4.4-r4
dev-python/pycrypto: 2.0.1-r5
dev-util/ccache:     2.4-r7
sys-devel/autoconf:  2.13, 2.61
sys-devel/automake:  1.4_p6, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2, 1.10
sys-devel/gcc-config: 1.3.16
sys-devel/libtool:   1.5.23b
virtual/os-headers:  2.6.17-r2
CFLAGS="-mieee -pipe -O2 -mcpu=ev5"
CONFIG_PROTECT="/etc /usr/share/X11/xkb"
CONFIG_PROTECT_MASK="/etc/env.d /etc/gconf /etc/revdep-rebuild /etc/terminfo"
CXXFLAGS="-mieee -pipe -O2 -mcpu=ev5"
FEATURES="ccache distlocks metadata-transfer parallel-fetch sandbox sfperms strict"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --delete-after --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages --filter=H_**/files/digest-*"
USE="X acl alpha alsa berkdb bitmap-fonts bzip2 cairo cdr cli cracklib crypt cups curl dbus dri dvd dvdr dvdread encode evo fam fortran gdbm gif gpm gtk hal iconv ipv6 isdnlog jpeg libg++ libnotify mad midi mikmod mp3 mpeg mudflap ncurses nls nptl nptlonly ogg opengl openmp oss pam pcre pdf perl png pppd python qt3 qt3support qt4 quicktime readline reflection sdl session spell spl ssl startup-notification svg tcpd tiff truetype truetype-fonts type1-fonts unicode vorbis xml xorg xv zlib" ALSA_CARDS="ali5451 als4000 bt87x ca0106 cmipci emu10k1 ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 maestro3 trident usb-audio via82xx ymfpci" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mulaw multi null plug rate route share shm softvol" ELIBC="glibc" INPUT_DEVICES="keyboard evdev mouse joystick" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LINGUAS="en" USERLAND="GNU" VIDEO_CARDS="radeon vga fbdev"
Comment 10 Raúl Porcel (RETIRED) gentoo-dev 2007-07-21 14:53:05 UTC
alpha/ia64/x86 stable, thanks Brian
Comment 11 Samuli Suominen (RETIRED) gentoo-dev 2007-07-21 16:55:22 UTC
arm done
Comment 12 Gustavo Zacarias (RETIRED) gentoo-dev 2007-07-23 18:04:06 UTC
sparc stable.
Comment 13 Markus Rothe (RETIRED) gentoo-dev 2007-07-25 05:23:28 UTC
ppc64 stable
Comment 14 Tobias Scherbaum (RETIRED) gentoo-dev 2007-07-27 20:50:54 UTC
ppc stable, ready for glsa
Comment 15 Samuli Suominen (RETIRED) gentoo-dev 2007-08-01 14:29:40 UTC
Comment 16 Pierre-Yves Rofes (RETIRED) gentoo-dev 2007-08-01 14:44:00 UTC
(In reply to comment #15)
> zzzz..

I don't know if this comment is for to the security team, but just so you know, we've got about 130 open bugs which need some attention, plus 20 glsas in the pool waiting to be drafted/reviewed/sent. I'm doing as much as I can, but security team is clearly understaffed to achieve all this work in a timely manner, so if you wanna join us and help out, you're welcome :)
Comment 17 Joshua Kinard gentoo-dev 2007-08-06 02:51:52 UTC
mips stable.
Comment 18 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2007-08-11 22:04:53 UTC
it's GLSA 200708-07, thanks everybody and sorry for the delay.