| Summary: | xdg-utils new security issue CVE-2020-27748 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | major | ||
| Priority: | Normal | CC: | herman.viaene, jani.valimaa, ouaurelien, sysadmin-bugs |
| Version: | 7 | Keywords: | advisory, validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | MGA7-64-OK | ||
| Source RPM: | xdg-utils-1.1.3-3.mga7 | CVE: | |
| Status comment: | |||
|
Description
David Walser
2020-11-29 17:18:00 CET
David Walser
2020-11-29 17:18:06 CET
Whiteboard:
(none) =>
MGA7TOO Fixed in current cauldron with xdg-utils-1.1.3-5.mga8. Whiteboard:
MGA7TOO =>
(none) Pushed fixed xdg-utils-1.1.3-3.1.mga7 to core/updates_testing for mga7, please test. SRPMS/RPMS: xdg-utils-1.1.3-3.1.mga7 Assignee:
bugsquad =>
qa-bugs Advisory: ======================== Updated xdg-utils package fixes security vulnerability: Jens Mueller discovered that xdg-utils incorrectly handled certain URI. An attacker could possibly use this issue to expose sensitive information (CVE-2020-27748). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-27748 https://ubuntu.com/security/notices/USN-4649-1 MGA7-64 MATE on Peaq C1011
No installation issues. This didn't draw in any dependencies.
Ref bugs 21992 for tests (which is a mixed bag.....)
$ xdg-open librepo.txt
opens the file with Pluma: OK
$ xdg-open dora.pcapng
Opens the filke with wireshark OK.
Listed which xdg commands are available
xdg-autostart xdg-desktop-menu xdg_menu xdg-screensaver xdg-user-dirs-gtk-update
xdg-dbus-proxy xdg-email xdg-mime xdg-settings xdg-user-dirs-update
xdg-desktop-icon xdg-icon-resource xdg-open xdg-user-dir
Picked xdg_menu
and got
$ xdg_menu
WARNING: '/etc/xdg/kde/menus/kde-settings.menu' does not exist
WARNING: '/etc/xdg/menus/kde-information.menu' does not exist
WARNING: '/etc/xdg/kde/menus/kde-settings.menu' does not exist
WARNING: '/etc/xdg/menus/applications-kmenuedit.menu' does not exist
Unknown 'Layout':
'HASH(0xfe3db8) 0
Menuname ARRAY(0xffd0e8) 0
Menuname ARRAY(0xffd358) 0
Menuname ARRAY(0xffd238) 0
Menuname ARRAY(0xffd628) 0
Menuname ARRAY(0xffd718) 0
Menuname ARRAY(0xffd808) 0
Menuname ARRAY(0xffd8f8) 0
Menuname ARRAY(0xffd9e8) 0
Menuname ARRAY(0xffdad8) 0
Menuname ARRAY(0xffdbc8) 0
Merge ARRAY(0xffdcb8) 0
Merge ARRAY(0xffdd78) 0
Separator ARRAY(0xffddf0) 0
Filename ARRAY(0xffde98) 0
and a lot more of those. FYI: there is no kde on this notebook. Are there things missing to make this useful???
$ xdg-settings
xdg-settings: no operation given
Try 'xdg-settings --help' for more information.
[tester7@mach6 Documents]$ xdg-settings --help
xdg-settings -- get various settings from the desktop
environment
Synopsis
xdg-settings { get | check | set } {property} [subproperty] I
[value]
xdg-settings { --help | --list | --manual | --version }
Use 'man xdg-settings' or 'xdg-settings --manual' for additional info.
No time to study this thing.
Ref Len's test in bug23132 I did
$ xdg-email --cc hviaene@gmail.com --subject "xdg-utils testing" --body "Can you hear me Muther?"
And that indeed opened Thunderbird with the specified fields correctly filled in, ready to be sent.
Similar
$ xdg-open http://exoplanet.eu
opened the site on a new tab in firefox
From what I can see, good to go.CC:
(none) =>
herman.viaene Validating update Advisory pushed to SVN. Keywords:
(none) =>
advisory, validated_update An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2020-0446.html Resolution:
(none) =>
FIXED
Aurelien Oudelet
2021-04-16 13:20:43 CEST
Blocks:
(none) =>
28788
Aurelien Oudelet
2021-04-16 13:26:14 CEST
Blocks:
28788 =>
(none) |