Your message dated Sun, 22 Feb 2015 21:32:42 +0000 with message-id <e1ype8o-0003jl...@franck.debian.org> and subject line Bug#777722: fixed in xdg-utils 1.1.0~rc1+git20111210-6+deb7u3 has caused the Debian Bug report #777722, regarding xdg-open: CVE-2015-1877: command injection vulnerability to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 777722: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=777722 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: xdg-utils Version: 1.1.0~rc1+git20111210-7.3 Severity: grave Tags: security patch Justification: user security hole Hi, there is a long-standing issue with xdg-open on debian -- it parses all files it is trying to open. This is easily exploitable. Requirements are similar as in last RCE: Window Manager which is _NOT_ one of the following: * KDE * GNOME * MATE * XFCE * ENLIGHTENMENT Problem is caused by name collision in local variables, which are apparently not very local in this case (maybe also dash problem?) Exploit was made from wikipedia image [0]. It would be nice to have it fixed in jessie. Cheers, Jiri [0] https://commons.wikimedia.org/wiki/Category:Unidentified_animals#mediaviewer/File:Augochlora_buscki,_M,_Back5,_Puerto_Rico,_Yauco_2014-09-15-18.11.39_ZS_PMax_(16292752499).jpg -- System Information: Debian Release: 8.0 APT prefers testing APT policy: (990, 'testing'), (500, 'testing-updates'), (1, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 3.16.0-4-amd64 (SMP w/4 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) xdg-utils depends on no packages. Versions of packages xdg-utils recommends: pn libfile-mimeinfo-perl <none> pn libnet-dbus-perl <none> pn libx11-protocol-perl <none> ii x11-utils 7.7+2 ii x11-xserver-utils 7.7+3+b1 Versions of packages xdg-utils suggests: pn gvfs-bin <none> -- no debconf information--- xdg-open.orig 2015-02-11 21:40:42.560282993 +0100 +++ xdg-open 2015-02-11 21:44:10.695894428 +0100 @@ -538,16 +538,16 @@ DEBUG 3 "$xdg_user_dir:$xdg_system_dirs" for x in `echo "$xdg_user_dir:$xdg_system_dirs" | sed 's/:/ /g'`; do - local file + local desktop_file # look for both vendor-app.desktop, vendor/app.desktop if [ -r "$x/applications/$default" ]; then - file="$x/applications/$default" + desktop_file="$x/applications/$default" elif [ -r "$x/applications/`echo $default | sed -e 's|-|/|'`" ]; then - file="$x/applications/`echo $default | sed -e 's|-|/|'`" + desktop_file="$x/applications/`echo $default | sed -e 's|-|/|'`" fi - if [ -r "$file" ] ; then - set -- $(sed -n 's/^Exec\(\[[^]]*\]\)\{0,1\}=//p' "$file") + if [ -r "$desktop_file" ] ; then + set -- $(sed -n 's/^Exec\(\[[^]]*\]\)\{0,1\}=//p' "$desktop_file") command_exec="$(which "$1" 2> /dev/null)" if [ -x "$command_exec" ] ; then shift
--- End Message ---
--- Begin Message ---Source: xdg-utils Source-Version: 1.1.0~rc1+git20111210-6+deb7u3 We believe that the bug you reported is fixed in the latest version of xdg-utils, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 777...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Michael Gilbert <mgilb...@debian.org> (supplier of updated xdg-utils package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Sun, 22 Feb 2015 03:29:59 +0000 Source: xdg-utils Binary: xdg-utils Architecture: source all Version: 1.1.0~rc1+git20111210-6+deb7u3 Distribution: stable-security Urgency: high Maintainer: Per Olofsson <pe...@debian.org> Changed-By: Michael Gilbert <mgilb...@debian.org> Description: xdg-utils - desktop integration utilities from freedesktop.org Closes: 777722 Changes: xdg-utils (1.1.0~rc1+git20111210-6+deb7u3) stable-security; urgency=high . * Non-maintainer upload by the Security Team. * Fix CVE-2015-1877: command injection vulnerability in xdg-open due to not really local variables in dash (closes: #777722). Checksums-Sha1: f46a4c3bd29c75188d95aa7d4feb60311f5e66ae 2722 xdg-utils_1.1.0~rc1+git20111210-6+deb7u3.dsc 033d643da189a74a59d58a29cac8231931dacc6a 11940 xdg-utils_1.1.0~rc1+git20111210-6+deb7u3.debian.tar.gz 0244e022cc31de66cf9bfdbe79064b27742de49a 82506 xdg-utils_1.1.0~rc1+git20111210-6+deb7u3_all.deb Checksums-Sha256: 9181c1ea8205fcd97951cc2f75e143c45e8fe03a0f5797ebc087d006b907142e 2722 xdg-utils_1.1.0~rc1+git20111210-6+deb7u3.dsc 08e6dbca542b95f47a3deba02dbd07547e7ad7e71331d11c71f656b82d7bc32a 11940 xdg-utils_1.1.0~rc1+git20111210-6+deb7u3.debian.tar.gz 08f4cd4d8f27d5201fd22c955a63f6f1bdfbc82441d485cd9b2efac9e6dbda56 82506 xdg-utils_1.1.0~rc1+git20111210-6+deb7u3_all.deb Files: a51d0dba840094732dcc6a9b767a7267 2722 utils optional xdg-utils_1.1.0~rc1+git20111210-6+deb7u3.dsc bdbb6d9b6d08c43c241b7e72ee0615fa 11940 utils optional xdg-utils_1.1.0~rc1+git20111210-6+deb7u3.debian.tar.gz 06e3f434b7f0827755f913fc432d9ef2 82506 utils optional xdg-utils_1.1.0~rc1+git20111210-6+deb7u3_all.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQQcBAEBCgAGBQJU6U69AAoJELjWss0C1vRzjaYf/RvIxLsWAxmmOPAIbIaPzV4F KjkF/PSdSTflOOPrrCt86ZUUuthxiU/zcA7IotlJXP0fqfDb1PN3qi5zFzrOsqJq paKFWnNjSJz9pdv+QgsKk0ER3Sobdyh/E1rUo1OkhHGfeIgyRjFNU9EIMdGRVHkc C5tvVQ0/V7H+GGE57+R3gDtmR75JQ5Aq47twsOtsWPbFKN2jYsIU6bdIZhMQWE1i PlJldujSCNtIuCTszTbH7BcUn1rsbQS+UivKMwf5+nX16Sy2vsANQDYjPvsfNLDI qCnjAq+rlevZMPEcYKGkF/th4c/0c7QLxi70lAs2gw65KbWBT13Hs0lrf9ft3uTt TBnHoSNNlZ47OgP3gLQ6LYY9pJUOp0xCD/mg7I7X6eXTVL9lX0oWlC3sUCgNpwXB fGeDpI34WJcuMA3v4957Dy6urfc/y8s27IrMEhK0WJxsv58Yt+NP42hpx0yIwF9L Ar6D368zfrL49w/1jYHQgBHWtqp29ucEYF9woVJRydnnS9/WivsqHU/AQ2UhTb4p Y7rthRcjv9an0BndvnGqF9qtPd164K4/+1ByWYe1aEDwmFcdWq/Ye+tInES1EEjS ZOyHEWjjqlWQOEDL0Pn5fvw3Bafo4GlhrlWc2AwkfGLocSxJSVfSuFu51VxhAg0I aOWMdx3O4jCa9u9HiCAc06cMGSTyPGkFg281Z6v6zKNtDv4qD0IbmthVHMxCDzRR ZSNukZYgUp4E2U3EbXYp0gckdmVg/Q7g/ETxpgoBKdP1b4YHr71aCKUJFQ9fjK3K SEDykuavRKndNPZS0JhuevUO0VDaZD2NGlPV75dkF1cSTgCXgvpwP/PXkqKMerSs 6SObdiCW2NyhFO9uU29xUN/y6Ok3Md6HFOAk7p0fUkyOuHK9ayUr6srefXH+GG8b o4l6xZUB72D4O7UCY6xRmtITBdBgti/rgzZ2APge7InRFfcI6f6cbz2OBWkz3jDs poAN9mi0/vDJo2TJmqgUYZGCAItocxpevijZIwvGBqYJydA3n7XqEUi2l2YeTPyu CLzZLNigdcAZQSgJqTWl4mf9MNdFJX8dLPeDghIAm8WIrabzKvIpGo9y1qHgD8M/ R1w0D/pJVmqLRfvVfr3yr13NiUE2NXstiNQNshecXAfpF0wrxX9EZ+lK8S+OjSdI n4AHChB6DDtZqBEoaR+4Qd7vSW25GmpDQcq/v1Ux7Ze9Vzq2TjrGQmir4REvhvLe pbx4vngu/51XbgVzMN+sDWN3/eonSw2TNwQpEpIiYpMOV7hlkgcz6vn81pl+uidj uSGhnIovaFQsvZBmstE3JnpCK1fOqHEa+Q6tA0SY+N6ZP9fYaIVBjTt1/STPlso= =y/lD -----END PGP SIGNATURE-----
--- End Message ---
