Bug#773085: xdg-utils: command injection vulnerability

Wed, 31 Dec 2014 15:15:29 -0800 

control: tag -1 pending

On Sun, Dec 14, 2014 at 12:32 AM, Michael Gilbert wrote:
> A command injection issue was disclosed for xdg-open:
> http://seclists.org/fulldisclosure/2014/Nov/36
>
> Patch for testing here:
> https://bugs.freedesktop.org/attachment.cgi?id=109536

Hi, I prepared an update fixing this, which I'll plan to upload to
delayed in a few days, but would appreciate review and testing
beforehand.  Please see attached.

Best wishes,
Mike

diff -Nru xdg-utils-1.1.0~rc1+git20111210/debian/changelog xdg-utils-1.1.0~rc1+git20111210/debian/changelog
--- xdg-utils-1.1.0~rc1+git20111210/debian/changelog	2014-04-23 20:22:14.000000000 +0000
+++ xdg-utils-1.1.0~rc1+git20111210/debian/changelog	2014-12-31 22:47:14.000000000 +0000
@@ -1,3 +1,10 @@
+xdg-utils (1.1.0~rc1+git20111210-7.2) unstable; urgency=medium
+
+  * Non-maintainer upload by the Security Team.
+  * Fix command injection vulnerability in xdg-open (closes: #773085).
+
+ -- Michael Gilbert <mgilb...@debian.org>  Wed, 31 Dec 2014 22:42:44 +0000
+
 xdg-utils (1.1.0~rc1+git20111210-7.1) unstable; urgency=medium
 
   * Non-maintainer upload.
diff -Nru xdg-utils-1.1.0~rc1+git20111210/debian/patches/command-injection.patch xdg-utils-1.1.0~rc1+git20111210/debian/patches/command-injection.patch
--- xdg-utils-1.1.0~rc1+git20111210/debian/patches/command-injection.patch	1970-01-01 00:00:00.000000000 +0000
+++ xdg-utils-1.1.0~rc1+git20111210/debian/patches/command-injection.patch	2014-12-31 23:11:29.000000000 +0000
@@ -0,0 +1,22 @@
+description: [PATCH] xdg-open: command injection vulnerability (BR66670)
+origin: adapted from ab053fd4bbba25fda3eb34cf16188917c955ab7b
+author: Rex Dieter <rdie...@math.unl.edu>
+
+--- a/scripts/xdg-open.in
++++ b/scripts/xdg-open.in
+@@ -140,12 +140,12 @@ DEBUG 3 "$xdg_user_dir:$xdg_system_dirs"
+                 command_exec=`which $command 2>/dev/null`
+                 arguments="`grep -E "^Exec(\[[^]=]*])?=" "$file" | cut -d= -f 2- | last_word`"
+                 local sed_escaped_url="$(echo "$1" | sed -e 's/[&\\]/\\&/g')"
+-                arguments_exec="`echo $arguments | sed -e 's*%[fFuU]*"'"$sed_escaped_url"'"*g'`"
++                arguments_exec="$(echo "$arguments" | sed -e 's*%[fFuU]*$sed_escaped_url*g')"
+                 if [ -x "$command_exec" ] ; then
+                     if echo $arguments | grep -iq '%[fFuU]' ; then
+-                        eval $command_exec $arguments_exec
++                        eval '$command_exec' '$arguments_exec'
+                     else
+-                        eval $command_exec $arguments_exec '"$1"'
++                        eval '$command_exec' '$arguments_exec' '"$1"'
+                     fi
+ 
+                     if [ $? -eq 0 ]; then
diff -Nru xdg-utils-1.1.0~rc1+git20111210/debian/patches/series xdg-utils-1.1.0~rc1+git20111210/debian/patches/series
--- xdg-utils-1.1.0~rc1+git20111210/debian/patches/series	2014-04-23 20:22:14.000000000 +0000
+++ xdg-utils-1.1.0~rc1+git20111210/debian/patches/series	2014-12-31 22:48:31.000000000 +0000
@@ -7,3 +7,4 @@
 xdg-open-escape-sed.diff
 no-X.diff
 fix-bashism-use-of-echo.patch
+command-injection.patch

Reply via email to