Bug 14932

(In reply to David Walser from comment #0)
> A CVE was requested for a command-injection issue in xdg-open (from
> xdg-utils):
> http://openwall.com/lists/oss-security/2015/01/01/3
> 
> A patch is linked in that message.
> 
> Besides the patch, looking at the hunk of the changelog visible in the
> patch, it appears that updating Cauldron to the newest git snapshot would be
> desirable.
> 
> As for Mageia 4, we can just backport the patch.  You can wait a bit for a
> CVE assignment, but MITRE has been really slow lately and many requests have
> slipped through the cracks.
> 
> Reproducible: 
> 
> Steps to Reproduce:

OK, I tried applying the patch against the Cauldron package that we have now and it failed. Furthermore, I see that there wasn't any new release of xdg-utils on http://portland.freedesktop.org/download/ since 2011 and it was an -rc1 release. The Mageia .spec files contain these instructions:

# sources from upstream git
#
# git clone git://anongit.freedesktop.org/xdg/xdg-utils
# cd xdg-utils
# git archive --format=tar --prefix=xdg-utils-20121008/ master | xz > ../xdg-utils-20121008.tar.xz
#

This is an unreliable and flimsy way to get a release tarball, and the upstream xdg-utils developers need to get their act together. Like the old Israeli saying goes: "That's not how you build a wall" (see https://www.youtube.com/watch?v=bmRWyFAe2Cw ). I'm going to report a bug for xdg-utils on bugs.freedesktop.org in addition to https://bugs.freedesktop.org/show_bug.cgi?id=87988 so they'll make new releases.

Regards,

-- Shlomi Fish

Added the patch from upstream bugzilla to Cauldron xdg-utils, but seems it's causing a regression [1]. Tested and confirmed it locally.

[1] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=773085#30

Some relevant links:

* https://bugs.freedesktop.org/show_bug.cgi?id=87989 - bug report about no new release tarballs.

* http://people.freedesktop.org/~rdieter/xdg-utils/ - the location of the new release tarballs.

Regards,

-- Shlomi Fish

Apparently the patch is still causing regressions.  Debian has a newer proposed patch, seen in both of these places:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=773085#58
http://sources.debian.net/src/xdg-utils/1.1.0~rc1%2Bgit20111210-7.3/debian/patches/xdg-open-safe.diff/

Seen here:
http://openwall.com/lists/oss-security/2015/01/16/13

CVE-2014-9622 has been assigned:
http://openwall.com/lists/oss-security/2015/01/17/10

Summary: xdg-utils command injection issue => xdg-utils command injection issue (CVE-2014-9622)

Jani has used a newer fix from upstream, to hopefully finally fix this without regressions.

Version: Cauldron => 4
Whiteboard: MGA4TOO => (none)

Debian has issued an advisory for this on January 18:
https://www.debian.org/security/2015/dsa-3131

URL: (none) => http://lwn.net/Vulnerabilities/629994/

This bug appears to be fixed by:

* Mon Jan 19 2015 wally <wally> 1.1.0-0.0.rc3.4.mga5
+ Revision: 811494
- add patches from upstream
  * dereference symlinks when using mimetype or file (fdo#39923)
  * change screensaver_freedesktop's interpretation of GetActive (fdo#29859)
  * improve command injection vulnerability fix (mga#14932, fdo#66670)

Resolving until further notice.

Resolution: (none) => FIXED
Status: NEW => RESOLVED

It seems that Mageia 4 is also affected but I can't see an update for it, reopening.

Status: RESOLVED => REOPENED
CC: (none) => mageia
Resolution: FIXED => (none)

(In reply to Sander Lepik from comment #9)
> It seems that Mageia 4 is also affected but I can't see an update for it,
> reopening.

Submitted an update for xdg-utils in Mageia 4:

http://pkgsubmit.mageia.org/

It will take some time to build.

Regards,

-- Shlomi Fish

Advisory for xdg-utils on Mageia 4 here:

Suggested advisory:
========================

Updated xdg-utils packages fix security vulnerabilities:

Command Injection Issue in xdg-utils.

This update also syncs xdg-utils with the Cauldron package.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-9622
http://openwall.com/lists/oss-security/2015/01/01/3
========================

Updated packages in core/updates_testing:
========================
xdg-utils-1.1.0-0.0.rc3.3.1.mga4

Source RPMs: 
xdg-utils-1.1.0-0.0.rc3.3.1.mga4.src.rpm

Thanks Shlomi.

Here's a slightly more descriptive advisory.

Advisory:
========================

Updated xdg-utils package fixes security vulnerability:

John Houwer discovered a way to cause xdg-open, a tool that automatically opens
URLs in a user's preferred application, to execute arbitrary commands remotely
(CVE-2014-9622).

The xdg-utils has been updated to a much more recent snapshot, and has been
patched to fix this issue.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9622
https://www.debian.org/security/2015/dsa-3131

Ready for QA?

Thanks, I hadn't even noticed it wasn't assigned.  Assigning now.

More info about the issue is on the upstream bug here:
https://bugs.freedesktop.org/show_bug.cgi?id=66670

Advisory:
========================

Updated xdg-utils package fixes security vulnerability:

John Houwer discovered a way to cause xdg-open, a tool that automatically opens
URLs in a user's preferred application, to execute arbitrary commands remotely
(CVE-2014-9622).

The xdg-utils has been updated to a much more recent snapshot, and has been
patched to fix this issue.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9622
https://www.debian.org/security/2015/dsa-3131
========================

Updated packages in core/updates_testing:
========================
xdg-utils-1.1.0-0.0.rc3.3.1.mga4

from xdg-utils-1.1.0-0.0.rc3.3.1.mga4.src.rpm

Assignee: shlomif => qa-bugs
CC: (none) => shlomif

PoC from https://bugs.freedesktop.org/show_bug.cgi?id=66670
See also https://bugs.gentoo.org/show_bug.cgi?id=472888


$ DE="generic" XDG_CURRENT_DESKTOP="" xdg-open 'http://127.0.0.1/$(xterm)' START /usr/bin/chromium-browser "http://127.0.0.1/$(xterm)"

Opens xterm rather than chromium-browser.

Whiteboard: (none) => has_procedure

Testing complete mga4 64

It was still opening xterm even after a complete system reboot. It's later debunked as a bad general PoC but this seems correct.

$ xdg-open 'http://127.0.0.1/$(xterm)'

At least, with the update installed, it opens the default browser with the  url of http://127.0.0.1/$%(xterm) rather than opening xterm.

It would be good to verify the 'Before' behaviour again with this command, but I verified the patch is applied with rpmdiff through madb.

Whiteboard: has_procedure => has_procedure mga4-64-ok

Hehe, that's a neat PoC.  Before the update, it does indeed open an xterm, and then once you close that, it opens the browser to 127.0.0.1.  After the update, no xterm and it opens the browser to 127.0.0.1/$(xterm) as you said.

Testing complete Mageia 4 i586.

Whiteboard: has_procedure mga4-64-ok => has_procedure mga4-64-ok mga4-32-ok

Validating. Advisory uploaded.

Please push to 4 updates

Thanks

Whiteboard: has_procedure mga4-64-ok mga4-32-ok => has_procedure advisory mga4-64-ok mga4-32-ok
CC: (none) => sysadmin-bugs
Keywords: (none) => validated_update

An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2015-0058.html

Resolution: (none) => FIXED
Status: REOPENED => RESOLVED