Bug#777722: marked as done (xdg-open: CVE-2015-1877: command injection vulnerability)

Thu, 30 Apr 2015 15:03:52 -0700 

Your message dated Thu, 30 Apr 2015 22:00:13 +0000
with message-id <e1ynwvb-0007xx...@franck.debian.org>
and subject line Bug#777722: fixed in xdg-utils 1.0.2+cvs20100307-2+deb6u1
has caused the Debian Bug report #777722,
regarding xdg-open: CVE-2015-1877: command injection vulnerability
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
777722: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=777722
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message --- 
Package: xdg-utils
Version: 1.1.0~rc1+git20111210-7.3
Severity: grave
Tags: security patch
Justification: user security hole

Hi,

there is a long-standing issue with xdg-open on debian -- it parses all files 
it is trying to open. This is easily exploitable. Requirements are similar as 
in last RCE: Window Manager which is _NOT_ one of the following:

* KDE
* GNOME
* MATE
* XFCE
* ENLIGHTENMENT

Problem is caused by name collision in local variables, which are apparently 
not very local in this case (maybe also dash problem?)

Exploit was made from wikipedia image [0].

It would be nice to have it fixed in jessie.

Cheers,

Jiri

[0] 
https://commons.wikimedia.org/wiki/Category:Unidentified_animals#mediaviewer/File:Augochlora_buscki,_M,_Back5,_Puerto_Rico,_Yauco_2014-09-15-18.11.39_ZS_PMax_(16292752499).jpg


-- System Information:
Debian Release: 8.0
  APT prefers testing
  APT policy: (990, 'testing'), (500, 'testing-updates'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 3.16.0-4-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

xdg-utils depends on no packages.

Versions of packages xdg-utils recommends:
pn  libfile-mimeinfo-perl  <none>
pn  libnet-dbus-perl       <none>
pn  libx11-protocol-perl   <none>
ii  x11-utils              7.7+2
ii  x11-xserver-utils      7.7+3+b1

Versions of packages xdg-utils suggests:
pn  gvfs-bin  <none>

-- no debconf information

--- xdg-open.orig	2015-02-11 21:40:42.560282993 +0100
+++ xdg-open	2015-02-11 21:44:10.695894428 +0100
@@ -538,16 +538,16 @@
 
 DEBUG 3 "$xdg_user_dir:$xdg_system_dirs"
         for x in `echo "$xdg_user_dir:$xdg_system_dirs" | sed 's/:/ /g'`; do
-            local file
+            local desktop_file
             # look for both vendor-app.desktop, vendor/app.desktop
             if [ -r "$x/applications/$default" ]; then
-              file="$x/applications/$default"
+              desktop_file="$x/applications/$default"
             elif [ -r "$x/applications/`echo $default | sed -e 's|-|/|'`" ]; then
-              file="$x/applications/`echo $default | sed -e 's|-|/|'`"
+              desktop_file="$x/applications/`echo $default | sed -e 's|-|/|'`"
             fi
 
-            if [ -r "$file" ] ; then
-                set -- $(sed -n 's/^Exec\(\[[^]]*\]\)\{0,1\}=//p' "$file")
+            if [ -r "$desktop_file" ] ; then
+                set -- $(sed -n 's/^Exec\(\[[^]]*\]\)\{0,1\}=//p' "$desktop_file")
                 command_exec="$(which "$1" 2> /dev/null)"
                 if [ -x "$command_exec" ] ; then
                     shift

--- End Message ---
--- Begin Message --- 
Source: xdg-utils
Source-Version: 1.0.2+cvs20100307-2+deb6u1

We believe that the bug you reported is fixed in the latest version of
xdg-utils, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 777...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Mike Gabriel <sunwea...@debian.org> (supplier of updated xdg-utils package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Wed, 22 Apr 2015 14:50:36 +0200
Source: xdg-utils
Binary: xdg-utils
Architecture: source all
Version: 1.0.2+cvs20100307-2+deb6u1
Distribution: squeeze-lts
Urgency: medium
Maintainer: Per Olofsson <pe...@debian.org>
Changed-By: Mike Gabriel <sunwea...@debian.org>
Description: 
 xdg-utils  - desktop integration utilities from freedesktop.org
Closes: 652067 654863 773085 777722
Changes: 
 xdg-utils (1.0.2+cvs20100307-2+deb6u1) squeeze-lts; urgency=medium
 .
   * Non-maintainer upload by Debian LTS Team.
   * debian/patches:
     + Add backport-jessie-open-generic-xdg-mime-function.diff.
       Backport open_generic(), open_generic_xdg_x_scheme_handler(),
       open_generic_xdg_file_mime() and open_generic_xdg_mime() functions
       from xdg-utils 1.1.0~rc1+git20111210-7.4 (as found in Debian 8.0).
       Closes: #777722, #773085, #654863, #652067.
       Fixes: CVE-2014-9622, CVE-2015-1877.
     + Drop run-mailcap-decode.diff. Included in patch file
       backport-jessie-open-generic-xdg-mime-function.diff.
Checksums-Sha1: 
 5e3e1576805653c7269e4d543acbac8273c73924 1978 
xdg-utils_1.0.2+cvs20100307-2+deb6u1.dsc
 0471ebf04057e29febffcf7360b8577f42076c5b 7549 
xdg-utils_1.0.2+cvs20100307-2+deb6u1.debian.tar.gz
 d2ccfb7d99798d85f74488479010a688e3c0a360 66262 
xdg-utils_1.0.2+cvs20100307-2+deb6u1_all.deb
Checksums-Sha256: 
 79e8286e6a108e34da9902350cc8f77e031efae49ec91864baa954c356436e1d 1978 
xdg-utils_1.0.2+cvs20100307-2+deb6u1.dsc
 75cd1351d814b9f2dbbd17c04c4626ebda0381e049f64606d85d301b6a3f0254 7549 
xdg-utils_1.0.2+cvs20100307-2+deb6u1.debian.tar.gz
 3eeb1abbca1abf47b86764b2a4735a143517b5f4ca9804749b1a80cd85e96f07 66262 
xdg-utils_1.0.2+cvs20100307-2+deb6u1_all.deb
Files: 
 9bead637cbc582a41097679f26ada163 1978 utils optional 
xdg-utils_1.0.2+cvs20100307-2+deb6u1.dsc
 a2d7682ffcda3d33c4a43f6fe99a5a12 7549 utils optional 
xdg-utils_1.0.2+cvs20100307-2+deb6u1.debian.tar.gz
 6ada59d429101b7c81c09c887667a96c 66262 utils optional 
xdg-utils_1.0.2+cvs20100307-2+deb6u1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJVQp9mAAoJEJr0azAldxsxDlkQALegltV0uAgmsE/a+t7DNSNG
WoPUV6O75shGWS8VOIZhLKFbarixaG1q+skC5p30gH4KEPBFDSrtUHO6IDQ88k7f
eVg+NbwlssuIN39dNh5NgbllM5P9YE6VC5hfORQ+6azb1B2siNbQd5jl53nR8dyk
Cw5bDeD36MBEjC8jEMxyCaFYf9sRGswucyLBfaqh3rhp0Ptb3/jDU/ZwvK3S0xQq
mOjBiG/4w1P33CqN/XV+nOVLzv0TGA96Q+oFcaQrNucxG/VJ2DJ3MXMb6vLphIot
5ZQAnnkPwgLsXkvURN34nNZjnAD/nJKgML3fA5HMALVFwR2D/La0ZW8Dc4Ky/OXm
wd8ZFc66I80ByM9GJX84w9XIhFZMck+n9fG7CXlGmTThyz6tCPcppOho+s0WzazW
/UEC8mbeM4fo/91GfmjYgYEsTdhG+6CM62ohS4IL082l/ckVebyRfIZ+a/aAUAcP
aDINkKt8IxZVpUZmWD8MNnSZxC+tl/SL/rTN0M7+OUfECmqY0cTOqmvyIkYWQoCz
9hFuuFODXKVcbtxw25aWzxvPFJnLU1e3lkkvyoMyqJuXWb/ka+eMYKnaqu6hmiG0
LS9OKefqN4lClU5HTjEd30gcYzEB8++hyK+IfPic622wrD6kc4EpNYzDxGqh/nJi
KZM/chte9P3IGVRcG/RE
=N3GX
-----END PGP SIGNATURE-----

--- End Message ---

Reply via email to