Source: pyxdg Version: 0.25-5 Severity: normal Tags: security upstream Control: found -1 0.25-4
Hi, The following vulnerability was published for pyxdg, as far I understand though the impact would be limited as one would need to use pyxdg with untrusted menu files? CVE-2019-12761[0]: | A code injection issue was discovered in PyXDG before 0.26 via crafted | Python code in a Category element of a Menu XML document in a .menu | file. XDG_CONFIG_DIRS must be set up to trigger xdg.Menu.parse parsing | within the directory containing this file. This is due to a lack of | sanitization in xdg/Menu.py before an eval call. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2019-12761 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12761 [1] https://snyk.io/vuln/SNYK-PYTHON-PYXDG-174562 Regards, Salvatore