Launchpad has imported 22 comments from the remote bug at https://bugs.freedesktop.org/show_bug.cgi?id=66670.
If you reply to an imported comment from within Launchpad, your comment will be sent to the remote bug automatically. Read more about Launchpad's inter-bugtracker facilities at https://help.launchpad.net/InterBugTracking. ------------------------------------------------------------------------ On 2013-07-07T15:09:03+00:00 Chris Reffett wrote: A Gentoo user discovered [1] a vulnerability in xdg-open which allows for arbitrary command injection. I was able to confirm it by running the following command, and it worked with both our packaged version of xdg- utils (1.1.0_rc1 plus some patches) and current git master: DE="generic" XDG_CURRENT_DESKTOP="" xdg-open 'http://127.0.0.1/$(xterm)' START /usr/bin/chromium-browser "http://127.0.0.1/$(xterm)" That command should open an xterm terminal instead of chromium. Further details available at our bug. [1] https://bugs.gentoo.org/show_bug.cgi?id=472888 Reply at: https://bugs.launchpad.net/ubuntu/+source/xdg- utils/+bug/1413643/comments/0 ------------------------------------------------------------------------ On 2013-07-07T15:28:09+00:00 Chris Reffett wrote: This looks kind of similar to CVE-2008-0386 [1], though I don't believe shell metacharacters are the issue here. Different causes, similar impact. Reply at: https://bugs.launchpad.net/ubuntu/+source/xdg- utils/+bug/1413643/comments/1 ------------------------------------------------------------------------ On 2014-11-14T23:07:53+00:00 Rdieter-math wrote: Reminded of this today, will take a closer look over the weekend. Reply at: https://bugs.launchpad.net/ubuntu/+source/xdg- utils/+bug/1413643/comments/2 ------------------------------------------------------------------------ On 2014-11-15T17:56:47+00:00 Alan Coopersmith wrote: Posted to full-disclosure security mailing list yesterday: http://seclists.org/fulldisclosure/2014/Nov/36 Reply at: https://bugs.launchpad.net/ubuntu/+source/xdg- utils/+bug/1413643/comments/3 ------------------------------------------------------------------------ On 2014-11-15T19:06:37+00:00 Rdieter-math wrote: I'm starting to wonder if this is specific to xdg-utils at all. Skipping xdg-open and running browsers directly: /usr/bin/google-chrome-stable "http://127.0.0.1/$(xterm)" /usr/bin/firefox "http://127.0.0.1/$(xterm)" etc... does exactly the same thing. Reply at: https://bugs.launchpad.net/ubuntu/+source/xdg- utils/+bug/1413643/comments/4 ------------------------------------------------------------------------ On 2014-11-15T19:07:58+00:00 Rdieter-math wrote: Ah, but using ' instead of " quotes, leads to something that avoids shell expansion, maybe we can simply go with that. Reply at: https://bugs.launchpad.net/ubuntu/+source/xdg- utils/+bug/1413643/comments/5 ------------------------------------------------------------------------ On 2014-11-15T19:50:01+00:00 Rdieter-math wrote: Related here is bug #30453 and commit: http://cgit.freedesktop.org/xdg/xdg-utils/commit/?id=a616912e48b7ff1d908852739d16525df79471b9 Got some apparent extraneous quoting going on Reply at: https://bugs.launchpad.net/ubuntu/+source/xdg- utils/+bug/1413643/comments/6 ------------------------------------------------------------------------ On 2014-11-15T20:02:09+00:00 Rdieter-math wrote: Created attachment 109536 Fix argument quoting to avoid evaluation First try to address argument quoting issues. Seems to fix test-case ok, trying other use-cases to verify no regressions. Please test. Reply at: https://bugs.launchpad.net/ubuntu/+source/xdg- utils/+bug/1413643/comments/7 ------------------------------------------------------------------------ On 2015-01-04T04:09:39+00:00 Rdieter-math wrote: Any feedback here or alternative patches? Reply at: https://bugs.launchpad.net/ubuntu/+source/xdg- utils/+bug/1413643/comments/8 ------------------------------------------------------------------------ On 2015-01-04T19:36:14+00:00 Michael Gilbert wrote: The proposed changes cause a regression. See http://bugs.debian.org/773085. Reply at: https://bugs.launchpad.net/ubuntu/+source/xdg- utils/+bug/1413643/comments/9 ------------------------------------------------------------------------ On 2015-01-05T19:10:47+00:00 Rdieter-math wrote: Created attachment 111778 Fix argument quoting to avoid execution second try, please test. Reply at: https://bugs.launchpad.net/ubuntu/+source/xdg- utils/+bug/1413643/comments/10 ------------------------------------------------------------------------ On 2015-01-06T22:04:12+00:00 Michael Gilbert wrote: There is still a regression. File names with spaces won't work. Reply at: https://bugs.launchpad.net/ubuntu/+source/xdg- utils/+bug/1413643/comments/11 ------------------------------------------------------------------------ On 2015-01-06T22:23:24+00:00 Rdieter-math wrote: OK, rats, back to the drawing board, I'll have to work harder to find a way to make it work while avoiding any 'eval' Reply at: https://bugs.launchpad.net/ubuntu/+source/xdg- utils/+bug/1413643/comments/12 ------------------------------------------------------------------------ On 2015-01-06T23:40:47+00:00 Rdieter-math wrote: Created attachment 111873 nuke some extra quoting first step to proper fix Reply at: https://bugs.launchpad.net/ubuntu/+source/xdg- utils/+bug/1413643/comments/13 ------------------------------------------------------------------------ On 2015-01-06T23:42:35+00:00 Rdieter-math wrote: Created attachment 111874 Fix argument quoting to avoid execution try wrapping vars in "' ... '" Reply at: https://bugs.launchpad.net/ubuntu/+source/xdg- utils/+bug/1413643/comments/14 ------------------------------------------------------------------------ On 2015-01-19T11:20:39+00:00 Rdieter-math wrote: Haven't heard any complaints, so... Committed the latest approach, http://cgit.freedesktop.org/xdg/xdg-utils/commit/?id=ab071beaabb62ceda3028dd5efa85e8057c29006 Reply at: https://bugs.launchpad.net/ubuntu/+source/xdg- utils/+bug/1413643/comments/15 ------------------------------------------------------------------------ On 2015-01-21T19:59:09+00:00 Geert Janssens wrote: I'm confused. How exactly can I verify the patch is fixing the arbitrary command injection vulnerability ? I have installed xdg-utils-1.1.0-0.35.rc3.fc20, which should carry the patch. However the test command DE="generic" XDG_CURRENT_DESKTOP="" xdg-open 'http://127.0.0.1/$(xterm)' START /usr/bin/chromium-browser "http://127.0.0.1/$(xterm)" opens en xterm both before I installed the test package and after. I would have thought that the new package was supposed open my default browser (being firefox). The package that was installed before the update was xdg-utils.noarch 0:1.1.0-0.31.rc2.fc20 Reply at: https://bugs.launchpad.net/ubuntu/+source/xdg- utils/+bug/1413643/comments/16 ------------------------------------------------------------------------ On 2015-01-21T23:44:13+00:00 Rdieter-math wrote: I cannot reproduce it anymore. What shell are you using? Reply at: https://bugs.launchpad.net/ubuntu/+source/xdg- utils/+bug/1413643/comments/17 ------------------------------------------------------------------------ On 2015-01-21T23:45:29+00:00 Rdieter-math wrote: fWiw, I get: $ DE="generic" XDG_CURRENT_DESKTOP="" xdg-open 'http://127.0.0.1/$(xterm) START /usr/bin/google-chrome-stable http://127.0.0.1/$(xterm) With a browser window with url: http://127.0.0.1/$(xterm) Reply at: https://bugs.launchpad.net/ubuntu/+source/xdg- utils/+bug/1413643/comments/18 ------------------------------------------------------------------------ On 2015-01-21T23:47:15+00:00 Rdieter-math wrote: this test case, however, launches an xterm: DE="generic" XDG_CURRENT_DESKTOP="" xdg-open "http://127.0.0.1/$(xterm)" (note the difference here is the argument is double quotes, note single quote) I'll have to double-check if this is valid or not Reply at: https://bugs.launchpad.net/ubuntu/+source/xdg- utils/+bug/1413643/comments/19 ------------------------------------------------------------------------ On 2015-01-22T08:12:18+00:00 Florian Weimer wrote: (In reply to Rex Dieter from comment #19) > this test case, however, launches an xterm: > > DE="generic" XDG_CURRENT_DESKTOP="" xdg-open "http://127.0.0.1/$(xterm)" > > > (note the difference here is the argument is double quotes, note single > quote) > > I'll have to double-check if this is valid or not This test case is not valid because the user's shell starts xterm before even calling xdg-open. There is nothing xdg-open can do against this. Reply at: https://bugs.launchpad.net/ubuntu/+source/xdg- utils/+bug/1413643/comments/20 ------------------------------------------------------------------------ On 2015-01-22T12:29:34+00:00 Rdieter-math wrote: Thanks, I came to the same conclusion Reply at: https://bugs.launchpad.net/ubuntu/+source/xdg- utils/+bug/1413643/comments/21 ** Changed in: xdg-utils Status: Unknown => Fix Released ** Changed in: xdg-utils Importance: Unknown => Medium ** Bug watch added: Gentoo Bugzilla #472888 https://bugs.gentoo.org/show_bug.cgi?id=472888 ** CVE added: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2008-0386 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1413643 Title: xdg-open command injection vulnerability To manage notifications about this bug go to: https://bugs.launchpad.net/xdg-utils/+bug/1413643/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs