Your message dated Fri, 1 Feb 2008 11:14:37 +0100
with message-id <[EMAIL PROTECTED]>
and subject line Bug#463471: CVE-2008-0386 arbitrary code execution in
xdg-utils via crafted path name
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--- Begin Message ---
Source: xdg-utils
Severity: grave
Tags: security patch
Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for xdg-utils.
CVE-2008-0386[0]:
| Description of problem:
| The generic handler of xdg-open (i.e. when not running in KDE, GNOME or XFCE)
| has the following code:
|
| browser_with_arg=`echo "$browser" | sed s#%s#"$1"#`
|
| if [ x"$browser_with_arg" = x"$browser" ]; then "$browser" "$1";
| else $browser_with_arg;
| fi
|
| sed interprets any commands in the argument and the result is executed by the
| script.
|
| Version-Release number of selected component (if applicable):
| xdg-utils-1.0.2-2.fc8
|
| How reproducible:
| Always
|
| Steps to Reproduce:
| 1. uninstall perl-File-MimeInfo package (not necessary with xdg-utils-1.0.2-3)
| 2. start plain X session
| 3. xdg-open 'http://foo.org/bar#;g;sx$xtouch:foox'
|
| Actual results:
| File foo created.
|
| Expected results:
| The page opened in a web browser.
The CVE id for this is still on status RESERVED, it will be released in
the next days.
You can find patches for the described issues on:
http://webcvs.freedesktop.org/portland/portland/xdg-utils/scripts/xdg-email?r1=1.36&r2=1.37&view=patch
http://webcvs.freedesktop.org/portland/portland/xdg-utils/scripts/xdg-email.in?r1=1.24&r2=1.25&view=patch
http://webcvs.freedesktop.org/portland/portland/xdg-utils/scripts/xdg-open?r1=1.32&r2=1.33&view=patch
http://webcvs.freedesktop.org/portland/portland/xdg-utils/scripts/xdg-open.in?r1=1.17&r2=1.18&view=patch
If you fix this vulnerability please also include the CVE id
in your changelog entry.
For further information:
[0] https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2008-0386
Kind regards
Nico
--
Nico Golde - http://www.ngolde.de - [EMAIL PROTECTED] - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
pgpGTiP20bMEA.pgp
Description: PGP signature
--- End Message ---
--- Begin Message ---
Hi Per,
* Per Olofsson <[EMAIL PROTECTED]> [2008-02-01 01:06]:
> Nico Golde wrote:
> > Source: xdg-utils
> > Severity: grave
> > Tags: security patch
> >
> > Hi,
> > the following CVE (Common Vulnerabilities & Exposures) id was
> > published for xdg-utils.
>
> The code in question is not present in the Debian package, because I have
> patched it to use run-mailcap or sensible-browser instead.
[...]
Thanks, that looks secure to me. I missed the patch when
looking at the package because its name does not imply any
security relevant changes. So thanks, I marked this as
not-affected in our security tracker and thus closing this
bug.
Kind regards
Nico
--
Nico Golde - http://www.ngolde.de - [EMAIL PROTECTED] - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
pgpn0fDupJSe7.pgp
Description: PGP signature
--- End Message ---
