| Summary: | thunar new security issue CVE-2021-32563 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | Nicolas Salguero <nicolas.salguero> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | normal | ||
| Priority: | Normal | CC: | andrewsfarm, brtians1, guillaume.royer, mageia, ouaurelien, sysadmin-bugs |
| Version: | 8 | Keywords: | advisory, validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | MGA8-64-OK | ||
| Source RPM: | thunar-4.16.2-1.mga8.src.rpm | CVE: | CVE-2021-32563 |
| Status comment: | |||
|
Description
Nicolas Salguero
2021-05-11 11:56:12 CEST
Nicolas Salguero
2021-05-11 11:57:23 CEST
Source RPM:
(none) =>
thunar-4.16.2-1.mga8.src.rpm fixed in svn
src:
- thunar-4.16.2-1.1.mga8Assignee:
bugsquad =>
qa-bugs Advisory: ======================== Updated thunar packages fix a security vulnerability: An issue was discovered in Thunar before 4.16.7 and 4.17.x before 4.17.2. When called with a regular file as a command-line argument, it delegates to a different program (based on the file type) without user confirmation. This could be used to achieve code execution (CVE-2021-32563). References: - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-32563 - https://www.openwall.com/lists/oss-security/2021/05/09/2 - https://www.openwall.com/lists/oss-security/2021/05/11/3 ======================== Updated packages in core/updates_testing: ======================== lib(64)thunarx-devel-4.16.2-1.1.mga8 lib(64)thunarx-gir3.0-4.16.2-1.1.mga8 lib(64)thunarx3_0-4.16.2-1.1.mga8 thunar-4.16.2-1.1.mga8 from SRPM: thunar-4.16.2-1.1.mga8.src.rpm CC:
(none) =>
ouaurelien I must be testing it wrong before $ thunar -V thunar 4.16.2 (Xfce 4.16) $ thunar hatched.odt the file opens with libreoffice ----------- installed The following 2 packages are going to be installed: - lib64thunarx3_0-4.16.2-1.1.mga8.x86_64 - thunar-4.16.2-1.1.mga8.x86_64 after $ thunar -V thunar 4.16.2 (Xfce 4.16) $ thunar hatched.odt the file is opened with libreoffice again CC:
(none) =>
brtians1
Aurelien Oudelet
2021-05-22 18:42:51 CEST
Keywords:
(none) =>
feedback MGA 8 XFCE 64 Before update Thunar worked well. Update Thunar with QA repo and: - lib64thunarx3_0-4.16.2-1.1.mga8.x86_64 - thunar-4.16.2-1.1.mga8.x86_64 After update Thunar is ok, Navigation Ok, Open files Ok CC:
(none) =>
guillaume.royer Let's try a full update to 4.16.8, which contains the fixes. thunar-4.16.8-1.mga8 libthunarx-devel-4.16.8-1.mga8 libthunarx3_0-4.16.8-1.mga8 libthunarx-gir3.0-4.16.8-1.mga8 from thunar-4.16.8-1.mga8.src.rpm Keywords:
feedback =>
(none) $ uname -a Linux localhost.localdomain 5.10.46-desktop-1.mga8 #1 SMP Thu Jun 24 14:33:54 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux The following 4 packages are going to be installed: - glibc-2.32-16.mga8.x86_64 - glibc-devel-2.32-16.mga8.x86_64 - lib64thunarx3_0-4.16.8-1.mga8.x86_64 - thunar-4.16.8-1.mga8.x86_64 --- I rebooted $ thunar -V thunar 4.16.8 (Xfce 4.16) Copyright (c) 2004-2020 The Thunar development team. All rights reserved. Written by Benedikt Meurer <benny@xfce.org>. Please report bugs to <https://gitlab.xfce.org/xfce/thunar>. now when I run thunar against a file, it just opens thunar in the current folder. $ thunar thunar41681.txt It does not execute a program This is now fixed! Whiteboard:
(none) =>
MGA8-64-OK Validating. The advisory in Comment 2 should work, as long as the srpm information from Comment 5 is used. Keywords:
(none) =>
validated_update (In reply to Thomas Andrews from comment #7) > Validating. The advisory in Comment 2 should work, as long as the srpm > information from Comment 5 is used. Yeah. Keywords:
(none) =>
advisory An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2021-0306.html Status:
NEW =>
RESOLVED |