[Secure-testing-team] Bug#777722: xdg-open: another command injection vulnerability

Jiri Horner Wed, 11 Feb 2015 14:12:52 -0800

Package: xdg-utils
Version: 1.1.0~rc1+git20111210-7.3
Severity: grave
Tags: security patch
Justification: user security hole


Hi,

there is a long-standing issue with xdg-open on debian -- it parses all files 
it is trying to open. This is easily exploitable. Requirements are similar as 
in last RCE: Window Manager which is _NOT_ one of the following:

* KDE
* GNOME
* MATE
* XFCE
* ENLIGHTENMENT

Problem is caused by name collision in local variables, which are apparently 
not very local in this case (maybe also dash problem?)

Exploit was made from wikipedia image [0].

It would be nice to have it fixed in jessie.

Cheers,

Jiri

[0] 
https://commons.wikimedia.org/wiki/Category:Unidentified_animals#mediaviewer/File:Augochlora_buscki,_M,_Back5,_Puerto_Rico,_Yauco_2014-09-15-18.11.39_ZS_PMax_(16292752499).jpg


-- System Information:
Debian Release: 8.0
  APT prefers testing
  APT policy: (990, 'testing'), (500, 'testing-updates'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 3.16.0-4-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

xdg-utils depends on no packages.

Versions of packages xdg-utils recommends:
pn  libfile-mimeinfo-perl  <none>
pn  libnet-dbus-perl       <none>
pn  libx11-protocol-perl   <none>
ii  x11-utils              7.7+2
ii  x11-xserver-utils      7.7+3+b1

Versions of packages xdg-utils suggests:
pn  gvfs-bin  <none>

-- no debconf information

--- xdg-open.orig	2015-02-11 21:40:42.560282993 +0100
+++ xdg-open	2015-02-11 21:44:10.695894428 +0100
@@ -538,16 +538,16 @@
 
 DEBUG 3 "$xdg_user_dir:$xdg_system_dirs"
         for x in `echo "$xdg_user_dir:$xdg_system_dirs" | sed 's/:/ /g'`; do
-            local file
+            local desktop_file
             # look for both vendor-app.desktop, vendor/app.desktop
             if [ -r "$x/applications/$default" ]; then
-              file="$x/applications/$default"
+              desktop_file="$x/applications/$default"
             elif [ -r "$x/applications/`echo $default | sed -e 's|-|/|'`" ]; then
-              file="$x/applications/`echo $default | sed -e 's|-|/|'`"
+              desktop_file="$x/applications/`echo $default | sed -e 's|-|/|'`"
             fi
 
-            if [ -r "$file" ] ; then
-                set -- $(sed -n 's/^Exec\(\[[^]]*\]\)\{0,1\}=//p' "$file")
+            if [ -r "$desktop_file" ] ; then
+                set -- $(sed -n 's/^Exec\(\[[^]]*\]\)\{0,1\}=//p' "$desktop_file")
                 command_exec="$(which "$1" 2> /dev/null)"
                 if [ -x "$command_exec" ] ; then
                     shift

_______________________________________________
Secure-testing-team mailing list
[email protected]
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-team

[Secure-testing-team] Bug#777722: xdg-open: another command injection vulnerability

Reply via email to