Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 650894 (CVE-2017-17530) - sci-mathematics/geomview: Argument-injection through BROWSER env var
Summary: sci-mathematics/geomview: Argument-injection through BROWSER env var
Alias: CVE-2017-17530
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal trivial (vote)
Assignee: Gentoo Security
Whiteboard: ~2 [upstream cve]
Depends on:
Reported: 2018-03-19 14:55 UTC by GLSAMaker/CVETool Bot
Modified: 2022-08-11 01:52 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description GLSAMaker/CVETool Bot gentoo-dev 2018-03-19 14:55:02 UTC
CVE-2017-17530 (
  common/help.c in Geomview 1.9.5 does not validate strings before launching
  the program specified by the BROWSER environment variable, which might allow
  remote attackers to conduct argument-injection attacks via a crafted URL.

@Maintainers please confirm if we are affected.

Thank you
Comment 1 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-08-11 00:09:30 UTC
Hm, the functionality linked in Debian's tracker bug seems to be for viewing the local documentation installed with the package. I'm not sure how an attacker could manipulate the URLs it's fed.
Comment 2 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-08-11 01:52:05 UTC
Specifically, the vulnerable code is this (

    snprintf(helper, PATH_MAX, "%s %s &", browser, file);
    dummy = system(helper);

So if `browser` or `file` can be controlled by an attacker, the attacker controls the command line passed to system(). In particular, the CVE says the BROWSER environment variable could be problematic. I think it means WEBBROWSER. At line 50, if WEBBROWSER is set in the environment, `browser` gets the value of WEBBROWSER, else it gets the value of the macro DFLTHTMLBROWSER, which is `firefox` by default.

  if (*htmlbrowser == '\0') {
    if ((browser = getenv("WEBBROWSER")) == NULL) {
      browser = DFLTHTMLBROWSER;
  } else {
    browser = htmlbrowser;

Since environment variables are implicitly trusted here, WEBBROWSER seems uninteresting, so let's look at `file`, at line 71:

  if ((docdir = getenv("GEOMVIEW_DOC_DIR")) == NULL) {
    docdir = DOCDIR; /* compile-time default */

  if (strncasecmp(type, "html", strlen("html")) == 0) {
    dfltfile = "%s/html/index.html";
    langfile = "%s/html/%s/index.html";


  if ((lang = getenv("LANG")) != NULL) {
    snprintf(helper, PATH_MAX, langfile, docdir, lang);
    file = findfile(NULL, helper);
  if (file == NULL) {
    snprintf(helper, PATH_MAX, dfltfile, docdir);
    file = findfile(NULL, helper);

Since the environment is trusted, we can ignore the conditional based on getenv(). If LANG is not set in the environment, `helper` will get the value of dfltfile, which is "%s/html/index.html", where the "%s" is replaced with `docdir`. The only way to control `docdir` at runtime is via the GEOMVIEW_DOC_DIR environment variable, which we can again treat as trusted as coming from the environment.

I don't think there's any impact here.