Package: global X-Debbugs-CC: t...@security.debian.org secure-testing-team@lists.alioth.debian.org Severity: important Tags: security
Hi, the following vulnerability was published for global. CVE-2017-17531[0]: | gozilla.c in GNU GLOBAL 4.8.6 does not validate strings before | launching the program specified by the BROWSER environment variable, | which might allow remote attackers to conduct argument-injection | attacks via a crafted URL. This boils down to this part of the code: https://sources.debian.org/src/global/4.8.6-2/gozilla/gozilla.c/?hl=281:283#L281 snprintf(com, sizeof(com), "%s \"%s\"", browser, strbuf_value(URL)); system(com); I'm not quite sure where the URL can come from, but assuming that someone malicious can inject bad URL up to this code, then there's a posssibility of command injection when the URL contains shell meta-characters (think « http://foo/";command;" » or « http://foo$(command)/ »). If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2017-17531 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17531 Please adjust the affected versions in the BTS as needed. -- Raphaël Hertzog ◈ Debian Developer Support Debian LTS: https://www.freexian.com/services/debian-lts.html Learn to master Debian: https://debian-handbook.info/get/ _______________________________________________ Secure-testing-team mailing list Secure-testing-team@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-team