Bug 15317

Summary: xdg-utils command injection issue (CVE-2015-1877)
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: Shlomi Fish <shlomif>
Status: RESOLVED INVALID QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: jani.valimaa
Version: Cauldron   
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/634447/
See Also: http://bugs.debian.org/777722
https://bugs.freedesktop.org/show_bug.cgi?id=89129
Whiteboard: MGA4TOO
Source RPM: xdg-utils-1.1.0-0.0.rc3.3.1.mga4.src.rpm CVE:
Status comment:

Description David Walser 2015-02-18 17:48:41 CET 
Another command injection issue has been found in xdg-utils:
http://openwall.com/lists/oss-security/2015/02/18/7

The above link contains a CVE request, link to the upstream bug, and a proposed patch to fix it from the Debian bug.

Reproducible: 

Steps to Reproduce:
David Walser 2015-02-18 17:49:13 CET

CC: (none) => jani.valimaa
Whiteboard: (none) => MGA4TOO

Jani Välimaa 2015-02-18 20:22:01 CET

See Also: (none) => http://bugs.debian.org/777722

Jani Välimaa 2015-02-18 20:22:18 CET

See Also: (none) => https://bugs.freedesktop.org/show_bug.cgi?id=89129

Comment 1 David Walser 2015-02-18 23:04:39 CET 
CVE-2015-1877 has been assigned:
http://openwall.com/lists/oss-security/2015/02/18/9

Summary: xdg-utils command injection issue => xdg-utils command injection issue (CVE-2015-1877)

Comment 2 Shlomi Fish 2015-02-19 12:04:35 CET 
(In reply to David Walser from comment #0)
> Another command injection issue has been found in xdg-utils:
> http://openwall.com/lists/oss-security/2015/02/18/7
> 
> The above link contains a CVE request, link to the upstream bug, and a
> proposed patch to fix it from the Debian bug.
> 
> Reproducible: 
> 
> Steps to Reproduce:

Should we fix it now or wait for the upstream-blessed fix?

Regards,

-- Shlomi Fish
Comment 3 David Walser 2015-02-19 12:45:31 CET 
Maybe we should first try to determine if the bug is valid.  The Debian bug talks about it being a problem in dash and not bash.  Debian uses dash as their default /bin/sh, but we use bash, so we may not be affected by this one.
Comment 4 Shlomi Fish 2015-02-19 13:22:13 CET 
(In reply to David Walser from comment #3)
> Maybe we should first try to determine if the bug is valid.  The Debian bug
> talks about it being a problem in dash and not bash.  Debian uses dash as
> their default /bin/sh, but we use bash, so we may not be affected by this
> one.

I did "xdg-open exploit.jpg" and it opened gwenview with the image and nothing happened. I think this problem does not affect us because we're using bash.

Regards,

-- Shlomi Fish
Comment 5 David Walser 2015-02-19 17:42:58 CET 
If you do see an upstream fix, feel free to update it in SVN and maybe push it in Cauldron if it's not too late, but yeah it doesn't look like this is really an issue for us.  I'll close this as INVALID.

Status: NEW => RESOLVED
Resolution: (none) => INVALID

David Walser 2015-02-24 18:36:14 CET

URL: (none) => http://lwn.net/Vulnerabilities/634447/