This bug was fixed in the package gnome-shell-extension-desktop-icons -
19.01.3-1~ubuntu19.04.1
---
gnome-shell-extension-desktop-icons (19.01.3-1~ubuntu19.04.1) disco;
urgency=medium
* Backport new upstream release from eoan to disco (LP: #1829244)
- Fixes insecure
** Changed in: gnome-shell-extension-desktop-icons (Ubuntu Disco)
Importance: Undecided => High
--
You received this bug notification because you are a member of Ubuntu
Desktop Bugs, which is subscribed to gnome-shell-extension-desktop-icons
in Ubuntu.
https://bugs.launchpad.net/bugs/1825396
I tested version 19.01.3-1~ubuntu19.04.1 (from -proposed) on a fully
updated 19.04, and can no longer reproduce this issue: The terminal
window opens - as expected - in directory ~/Desktop/aaa'bbb/. Injecting
commands as discussed in comment 2 appears to be no longer possible.
** Tags removed:
Hello Tom, or anyone else affected,
Accepted gnome-shell-extension-desktop-icons into disco-proposed. The
package will build now and be available at
https://launchpad.net/ubuntu/+source/gnome-shell-extension-desktop-
icons/19.01.3-1~ubuntu19.04.1 in a few hours, and then in the -proposed
OK got it in eoan, will update disco now (might take some time to be
processed).
** Description changed:
+ [ Description ]
+
Attempting to open a Desktop folder named "aaa'bbb" (without double
quotes) using the "Open in Terminal" option from the context menu
produces a notification
I've pinged upstream, expecting a release soon which I will try to SRU.
--
You received this bug notification because you are a member of Ubuntu
Desktop Bugs, which is subscribed to gnome-shell-extension-desktop-icons
in Ubuntu.
https://bugs.launchpad.net/bugs/1825396
Title:
"Open in
** Changed in: gnome-shell-extension-desktop-icons
Status: New => Fix Released
--
You received this bug notification because you are a member of Ubuntu
Desktop Bugs, which is subscribed to gnome-shell-extension-desktop-icons
in Ubuntu.
https://bugs.launchpad.net/bugs/1825396
Title:
Upstream bug: https://gitlab.gnome.org/World/ShellExtensions/desktop-
icons/issues/111
--
You received this bug notification because you are a member of Ubuntu
Desktop Bugs, which is subscribed to gnome-shell-extension-desktop-icons
in Ubuntu.
https://bugs.launchpad.net/bugs/1825396
Title:
** Changed in: gnome-shell-extension-desktop-icons
Status: Unknown => New
--
You received this bug notification because you are a member of Ubuntu
Desktop Bugs, which is subscribed to gnome-shell-extension-desktop-icons
in Ubuntu.
https://bugs.launchpad.net/bugs/1825396
Title:
"Open in
Iain, could you have a look to this one?
** Changed in: gnome-shell-extension-desktop-icons (Ubuntu)
Importance: Undecided => High
** Changed in: gnome-shell-extension-desktop-icons (Ubuntu)
Assignee: (unassigned) => Iain Lane (laney)
--
You received this bug notification because you
** Bug watch added: gitlab.gnome.org/World/ShellExtensions/desktop-icons/issues
#111
https://gitlab.gnome.org/World/ShellExtensions/desktop-icons/issues/111
** Also affects: gnome-shell-extension-desktop-icons via
https://gitlab.gnome.org/World/ShellExtensions/desktop-icons/issues/111
As discussed on IRC, command injection is actually possible here.
** Changed in: gnome-shell-extension-desktop-icons (Ubuntu)
Status: New => Confirmed
--
You received this bug notification because you are a member of Ubuntu
Desktop Bugs, which is subscribed to
Marking this as security since the following directory name proves
command execution is possible:
aaa -e bash -c 'firefox'
--
You received this bug notification because you are a member of Ubuntu
Desktop Bugs, which is subscribed to gnome-shell-extension-desktop-icons
in Ubuntu.
** Information type changed from Public to Public Security
--
You received this bug notification because you are a member of Ubuntu
Desktop Bugs, which is subscribed to gnome-shell-extension-desktop-icons
in Ubuntu.
https://bugs.launchpad.net/bugs/1825396
Title:
"Open in Terminal" returns
14 matches
Mail list logo