Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 472888 (CVE-2014-9622) - <x11-misc/xdg-utils-1.1.1: Command injection from `xdg-open` args (CVE-2014-9622)
Summary: <x11-misc/xdg-utils-1.1.1: Command injection from `xdg-open` args (CVE-2014-9...
Status: RESOLVED FIXED
Alias: CVE-2014-9622
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal major (vote)
Assignee: Gentoo Security
URL:
Whiteboard: A2 [glsa]
Keywords:
Depends on: 558676
Blocks:
  Show dependency tree
 
Reported: 2013-06-10 16:31 UTC by john.houwer
Modified: 2017-01-01 16:38 UTC (History)
5 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description john.houwer 2013-06-10 16:31:37 UTC
Hi,

When 
xdg-open 'http://127.0.0.1/$(xterm)'
is run, the Script does no escaping and a xterm is started.

If you run the script with -x you see the problem.
+ eval /usr/bin/firefox '"http://127.0.0.1/$(xterm)"'
/usr/bin/firefox "http://127.0.0.1/$(xterm)"


Injection of arbitrary commands is possible. Some applications don't validate the input to xdg-open.


I was able to produce this behaviour with:
1.1.0_rc1_p20120319^t
~1.1.0_rc1_p20120916^t

However I was unable to reproduce it with the freedesktop.org source (git).

Yesterday I posted this bug to the similar bug: 
https://bugs.gentoo.org/show_bug.cgi?id=447662
But I think this here is the better choice.

If you need more info, please contact me.

Thank you.

Regards John
Comment 1 Michael Palimaka (kensington) gentoo-dev 2013-06-22 15:47:56 UTC
The reported tested against upstream git and couldn't reproduce there.
Comment 2 Alexandre Rostovtsev (RETIRED) gentoo-dev 2013-06-23 21:13:08 UTC
I cannot reproduce the problem here with xdg-utils-1.1.0_rc1_p20120916

Possibly it's dependent on your shell. Are you using bash-4.2 as your /bin/sh, or something else?
Comment 3 john.houwer 2013-06-24 19:14:15 UTC
Bash: 4.2_p45
/bin/sh -> bash
Comment 4 Stefan Knoblich 2013-07-02 10:57:46 UTC
This triggers the problem:

DE="generic" XDG_CURRENT_DESKTOP="" xdg-open 'http://127.0.0.1/$(xterm)'
START /usr/bin/chromium-browser "http://127.0.0.1/$(xterm)"
/usr/bin/xdg-open: line 558: xterm: command not found

i.e. only when detectDE() does not find a supported desktop environment and xdg-open uses the open_generic() function.
Comment 5 Chris Reffett (RETIRED) gentoo-dev Security 2013-07-04 00:21:12 UTC
I can confirm this as well. Should we request a CVE?
Comment 6 Chris Reffett (RETIRED) gentoo-dev Security 2013-07-07 15:25:42 UTC
Filed upstream.
Comment 7 GLSAMaker/CVETool Bot gentoo-dev 2015-06-17 17:22:29 UTC
CVE-2014-9622 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-9622):
  Eval injection vulnerability in xdg-utils 1.1.0 RC1, when no supported
  desktop environment is identified, allows context-dependent attackers to
  execute arbitrary code via the URL argument to xdg-open.
Comment 8 Manuel Rüger (RETIRED) gentoo-dev 2015-07-07 20:37:44 UTC
rc1 has been removed from the tree, upstream bug is fixed. 
@freedesktop, anything left to do?
Comment 9 Yury German Gentoo Infrastructure gentoo-dev 2015-11-22 15:13:13 UTC
Ping @freedesktop? Anything else needs to be done from your side?
Comment 10 Michael Palimaka (kensington) gentoo-dev 2015-11-22 16:13:34 UTC
Current stable still appears to be affected. I am going to CC arch teams in bug #558676 to take care of this.
Comment 11 GLSAMaker/CVETool Bot gentoo-dev 2017-01-01 16:38:14 UTC
This issue was resolved and addressed in
 GLSA 201701-09 at https://security.gentoo.org/glsa/201701-09
by GLSA coordinator Thomas Deutschmann (whissi).