Package: terminology Version: 1.3.0-1 Severity: grave Tags: security upstream Justification: user security hole Owner: r...@kallisti.us Forwarded: https://phab.enlightenment.org/T7504
Terminology 1.3.1 has been released to fix a remote code execution vulnerability in special escape handling. This can be mitigated by unchecking Settings -> Enable special Terminology escape codes. I'm preparing a release. Details from upstream bug report: The \e}pn sequence allows a user to display media like an image or open a web page. However, all unknown media types are handled with the media_unknown_handle function which executes xdg-open against the file type. This creates a large attack surface that allows a remotely introduced executable file to be executed when that file's MIME type is registered for xdg-open. See the linked bug for full info. Ross