Package: xdg-utils Version: 1.1.0~rc1+git20111210-7.3 Severity: grave Tags: security patch Justification: user security hole
Hi, there is a long-standing issue with xdg-open on debian -- it parses all files it is trying to open. This is easily exploitable. Requirements are similar as in last RCE: Window Manager which is _NOT_ one of the following: * KDE * GNOME * MATE * XFCE * ENLIGHTENMENT Problem is caused by name collision in local variables, which are apparently not very local in this case (maybe also dash problem?) Exploit was made from wikipedia image [0]. It would be nice to have it fixed in jessie. Cheers, Jiri [0] https://commons.wikimedia.org/wiki/Category:Unidentified_animals#mediaviewer/File:Augochlora_buscki,_M,_Back5,_Puerto_Rico,_Yauco_2014-09-15-18.11.39_ZS_PMax_(16292752499).jpg -- System Information: Debian Release: 8.0 APT prefers testing APT policy: (990, 'testing'), (500, 'testing-updates'), (1, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 3.16.0-4-amd64 (SMP w/4 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) xdg-utils depends on no packages. Versions of packages xdg-utils recommends: pn libfile-mimeinfo-perl <none> pn libnet-dbus-perl <none> pn libx11-protocol-perl <none> ii x11-utils 7.7+2 ii x11-xserver-utils 7.7+3+b1 Versions of packages xdg-utils suggests: pn gvfs-bin <none> -- no debconf information
--- xdg-open.orig 2015-02-11 21:40:42.560282993 +0100 +++ xdg-open 2015-02-11 21:44:10.695894428 +0100 @@ -538,16 +538,16 @@ DEBUG 3 "$xdg_user_dir:$xdg_system_dirs" for x in `echo "$xdg_user_dir:$xdg_system_dirs" | sed 's/:/ /g'`; do - local file + local desktop_file # look for both vendor-app.desktop, vendor/app.desktop if [ -r "$x/applications/$default" ]; then - file="$x/applications/$default" + desktop_file="$x/applications/$default" elif [ -r "$x/applications/`echo $default | sed -e 's|-|/|'`" ]; then - file="$x/applications/`echo $default | sed -e 's|-|/|'`" + desktop_file="$x/applications/`echo $default | sed -e 's|-|/|'`" fi - if [ -r "$file" ] ; then - set -- $(sed -n 's/^Exec\(\[[^]]*\]\)\{0,1\}=//p' "$file") + if [ -r "$desktop_file" ] ; then + set -- $(sed -n 's/^Exec\(\[[^]]*\]\)\{0,1\}=//p' "$desktop_file") command_exec="$(which "$1" 2> /dev/null)" if [ -x "$command_exec" ] ; then shift