A CVE was requested for a command-injection issue in xdg-open (from xdg-utils): http://openwall.com/lists/oss-security/2015/01/01/3 A patch is linked in that message. Besides the patch, looking at the hunk of the changelog visible in the patch, it appears that updating Cauldron to the newest git snapshot would be desirable. As for Mageia 4, we can just backport the patch. You can wait a bit for a CVE assignment, but MITRE has been really slow lately and many requests have slipped through the cracks. Reproducible: Steps to Reproduce:
CC: (none) => jani.valimaaWhiteboard: (none) => MGA4TOO
(In reply to David Walser from comment #0) > A CVE was requested for a command-injection issue in xdg-open (from > xdg-utils): > http://openwall.com/lists/oss-security/2015/01/01/3 > > A patch is linked in that message. > > Besides the patch, looking at the hunk of the changelog visible in the > patch, it appears that updating Cauldron to the newest git snapshot would be > desirable. > > As for Mageia 4, we can just backport the patch. You can wait a bit for a > CVE assignment, but MITRE has been really slow lately and many requests have > slipped through the cracks. > > Reproducible: > > Steps to Reproduce: OK, I tried applying the patch against the Cauldron package that we have now and it failed. Furthermore, I see that there wasn't any new release of xdg-utils on http://portland.freedesktop.org/download/ since 2011 and it was an -rc1 release. The Mageia .spec files contain these instructions: # sources from upstream git # # git clone git://anongit.freedesktop.org/xdg/xdg-utils # cd xdg-utils # git archive --format=tar --prefix=xdg-utils-20121008/ master | xz > ../xdg-utils-20121008.tar.xz # This is an unreliable and flimsy way to get a release tarball, and the upstream xdg-utils developers need to get their act together. Like the old Israeli saying goes: "That's not how you build a wall" (see https://www.youtube.com/watch?v=bmRWyFAe2Cw ). I'm going to report a bug for xdg-utils on bugs.freedesktop.org in addition to https://bugs.freedesktop.org/show_bug.cgi?id=87988 so they'll make new releases. Regards, -- Shlomi Fish
Added the patch from upstream bugzilla to Cauldron xdg-utils, but seems it's causing a regression [1]. Tested and confirmed it locally. [1] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=773085#30
See Also: (none) => https://bugs.freedesktop.org/show_bug.cgi?id=66670
See Also: (none) => http://bugs.debian.org/773085
Some relevant links: * https://bugs.freedesktop.org/show_bug.cgi?id=87989 - bug report about no new release tarballs. * http://people.freedesktop.org/~rdieter/xdg-utils/ - the location of the new release tarballs. Regards, -- Shlomi Fish
Apparently the patch is still causing regressions. Debian has a newer proposed patch, seen in both of these places: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=773085#58 http://sources.debian.net/src/xdg-utils/1.1.0~rc1%2Bgit20111210-7.3/debian/patches/xdg-open-safe.diff/ Seen here: http://openwall.com/lists/oss-security/2015/01/16/13
CVE-2014-9622 has been assigned: http://openwall.com/lists/oss-security/2015/01/17/10
Summary: xdg-utils command injection issue => xdg-utils command injection issue (CVE-2014-9622)
Jani has used a newer fix from upstream, to hopefully finally fix this without regressions.
Version: Cauldron => 4Whiteboard: MGA4TOO => (none)
Debian has issued an advisory for this on January 18: https://www.debian.org/security/2015/dsa-3131
URL: (none) => http://lwn.net/Vulnerabilities/629994/
This bug appears to be fixed by: * Mon Jan 19 2015 wally <wally> 1.1.0-0.0.rc3.4.mga5 + Revision: 811494 - add patches from upstream * dereference symlinks when using mimetype or file (fdo#39923) * change screensaver_freedesktop's interpretation of GetActive (fdo#29859) * improve command injection vulnerability fix (mga#14932, fdo#66670) Resolving until further notice.
Resolution: (none) => FIXEDStatus: NEW => RESOLVED
It seems that Mageia 4 is also affected but I can't see an update for it, reopening.
Status: RESOLVED => REOPENEDCC: (none) => mageiaResolution: FIXED => (none)
(In reply to Sander Lepik from comment #9) > It seems that Mageia 4 is also affected but I can't see an update for it, > reopening. Submitted an update for xdg-utils in Mageia 4: http://pkgsubmit.mageia.org/ It will take some time to build. Regards, -- Shlomi Fish
Advisory for xdg-utils on Mageia 4 here: Suggested advisory: ======================== Updated xdg-utils packages fix security vulnerabilities: Command Injection Issue in xdg-utils. This update also syncs xdg-utils with the Cauldron package. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-9622 http://openwall.com/lists/oss-security/2015/01/01/3 ======================== Updated packages in core/updates_testing: ======================== xdg-utils-1.1.0-0.0.rc3.3.1.mga4 Source RPMs: xdg-utils-1.1.0-0.0.rc3.3.1.mga4.src.rpm
Thanks Shlomi. Here's a slightly more descriptive advisory. Advisory: ======================== Updated xdg-utils package fixes security vulnerability: John Houwer discovered a way to cause xdg-open, a tool that automatically opens URLs in a user's preferred application, to execute arbitrary commands remotely (CVE-2014-9622). The xdg-utils has been updated to a much more recent snapshot, and has been patched to fix this issue. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9622 https://www.debian.org/security/2015/dsa-3131
Ready for QA?
Thanks, I hadn't even noticed it wasn't assigned. Assigning now. More info about the issue is on the upstream bug here: https://bugs.freedesktop.org/show_bug.cgi?id=66670 Advisory: ======================== Updated xdg-utils package fixes security vulnerability: John Houwer discovered a way to cause xdg-open, a tool that automatically opens URLs in a user's preferred application, to execute arbitrary commands remotely (CVE-2014-9622). The xdg-utils has been updated to a much more recent snapshot, and has been patched to fix this issue. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9622 https://www.debian.org/security/2015/dsa-3131 ======================== Updated packages in core/updates_testing: ======================== xdg-utils-1.1.0-0.0.rc3.3.1.mga4 from xdg-utils-1.1.0-0.0.rc3.3.1.mga4.src.rpm
Assignee: shlomif => qa-bugsCC: (none) => shlomif
PoC from https://bugs.freedesktop.org/show_bug.cgi?id=66670 See also https://bugs.gentoo.org/show_bug.cgi?id=472888 $ DE="generic" XDG_CURRENT_DESKTOP="" xdg-open 'http://127.0.0.1/$(xterm)' START /usr/bin/chromium-browser "http://127.0.0.1/$(xterm)" Opens xterm rather than chromium-browser.
Whiteboard: (none) => has_procedure
Testing complete mga4 64 It was still opening xterm even after a complete system reboot. It's later debunked as a bad general PoC but this seems correct. $ xdg-open 'http://127.0.0.1/$(xterm)' At least, with the update installed, it opens the default browser with the url of http://127.0.0.1/$%(xterm) rather than opening xterm. It would be good to verify the 'Before' behaviour again with this command, but I verified the patch is applied with rpmdiff through madb.
Whiteboard: has_procedure => has_procedure mga4-64-ok
Hehe, that's a neat PoC. Before the update, it does indeed open an xterm, and then once you close that, it opens the browser to 127.0.0.1. After the update, no xterm and it opens the browser to 127.0.0.1/$(xterm) as you said. Testing complete Mageia 4 i586.
Whiteboard: has_procedure mga4-64-ok => has_procedure mga4-64-ok mga4-32-ok
Validating. Advisory uploaded. Please push to 4 updates Thanks
Whiteboard: has_procedure mga4-64-ok mga4-32-ok => has_procedure advisory mga4-64-ok mga4-32-okCC: (none) => sysadmin-bugsKeywords: (none) => validated_update
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2015-0058.html
Resolution: (none) => FIXEDStatus: REOPENED => RESOLVED
CC: (none) => Grace_Cooper406
CC: Grace_Cooper406 => (none)