Another command injection issue has been found in xdg-utils: http://openwall.com/lists/oss-security/2015/02/18/7 The above link contains a CVE request, link to the upstream bug, and a proposed patch to fix it from the Debian bug. Reproducible: Steps to Reproduce:
CC: (none) => jani.valimaaWhiteboard: (none) => MGA4TOO
See Also: (none) => http://bugs.debian.org/777722
See Also: (none) => https://bugs.freedesktop.org/show_bug.cgi?id=89129
CVE-2015-1877 has been assigned: http://openwall.com/lists/oss-security/2015/02/18/9
Summary: xdg-utils command injection issue => xdg-utils command injection issue (CVE-2015-1877)
(In reply to David Walser from comment #0) > Another command injection issue has been found in xdg-utils: > http://openwall.com/lists/oss-security/2015/02/18/7 > > The above link contains a CVE request, link to the upstream bug, and a > proposed patch to fix it from the Debian bug. > > Reproducible: > > Steps to Reproduce: Should we fix it now or wait for the upstream-blessed fix? Regards, -- Shlomi Fish
Maybe we should first try to determine if the bug is valid. The Debian bug talks about it being a problem in dash and not bash. Debian uses dash as their default /bin/sh, but we use bash, so we may not be affected by this one.
(In reply to David Walser from comment #3) > Maybe we should first try to determine if the bug is valid. The Debian bug > talks about it being a problem in dash and not bash. Debian uses dash as > their default /bin/sh, but we use bash, so we may not be affected by this > one. I did "xdg-open exploit.jpg" and it opened gwenview with the image and nothing happened. I think this problem does not affect us because we're using bash. Regards, -- Shlomi Fish
If you do see an upstream fix, feel free to update it in SVN and maybe push it in Cauldron if it's not too late, but yeah it doesn't look like this is really an issue for us. I'll close this as INVALID.
Status: NEW => RESOLVEDResolution: (none) => INVALID
URL: (none) => http://lwn.net/Vulnerabilities/634447/