Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 789396 (CVE-2021-32563) - <xfce-base/thunar-{4.16.8, 4.17.3}: File type confusion vulnerability (CVE-2021-32563)
Summary: <xfce-base/thunar-{4.16.8, 4.17.3}: File type confusion vulnerability (CVE-20...
Status: IN_PROGRESS
Alias: CVE-2021-32563
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B2 [glsa?]
Keywords:
Depends on:
Blocks:
 
Reported: 2021-05-11 07:58 UTC by Sam James
Modified: 2021-11-09 21:48 UTC (History)
2 users (show)

See Also:
Package list:
xfce-base/thunar-4.16.8
Runtime testing required: ---
nattka: sanity-check-


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-05-11 07:58:15 UTC
Description:
"When called with a regular file as command line argument, Thunar
would delegate to some other program without user confirmation
based on the file type. This could be exploited to trigger code
execution in a chain of vulnerabilities.

This is fixed in 4.16.7 and 4.17.2. When called with a regular
file, Thunar now opens the containing directory and selects the
file.

A CVE ID has been requested.

Reference:

https://gitlab.xfce.org/xfce/thunar/-/commit/9165a61f95e43cc0b5abf9b98eee2818a0191e0b

Note: the fix introduced a regression which is fixed in 4.16.8 and 4.17.3.

https://gitlab.xfce.org/xfce/thunar/-/commit/3b54d9d7dbd7fd16235e2141c43a7f18718f5664

Gabriel"
Comment 1 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-05-11 07:58:35 UTC
Can we stable 4.16.8 (or, unlikely, 4.17.3)?
Comment 2 Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2021-05-11 21:59:02 UTC
Sure, let's do it.
Comment 3 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-05-13 04:31:22 UTC
x86 done
Comment 4 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-05-13 04:32:11 UTC
amd64 done
Comment 5 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-05-13 04:35:16 UTC
arm done
Comment 6 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-05-13 04:35:27 UTC
ppc done
Comment 7 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-05-13 04:35:31 UTC
ppc64 done
Comment 8 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-05-13 16:25:32 UTC
arm64 done

all arches done
Comment 9 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-05-13 16:25:50 UTC
Please cleanup.
Comment 10 Larry the Git Cow gentoo-dev 2021-05-13 19:31:45 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=a44a5e315a6bd08d50edf26134b8b38e880557ad

commit a44a5e315a6bd08d50edf26134b8b38e880557ad
Author:     Michał Górny <mgorny@gentoo.org>
AuthorDate: 2021-05-13 19:24:39 +0000
Commit:     Michał Górny <mgorny@gentoo.org>
CommitDate: 2021-05-13 19:31:40 +0000

    xfce-base/thunar: Remove old
    
    Bug: https://bugs.gentoo.org/789396
    Signed-off-by: Michał Górny <mgorny@gentoo.org>

 xfce-base/thunar/Manifest             |  4 --
 xfce-base/thunar/thunar-4.16.6.ebuild | 76 -----------------------------------
 xfce-base/thunar/thunar-4.16.7.ebuild | 76 -----------------------------------
 xfce-base/thunar/thunar-4.17.1.ebuild | 76 -----------------------------------
 xfce-base/thunar/thunar-4.17.2.ebuild | 76 -----------------------------------
 5 files changed, 308 deletions(-)
Comment 11 NATTkA bot gentoo-dev 2021-11-09 21:48:56 UTC
Unable to check for sanity:

> no match for package: xfce-base/thunar-4.16.8