Bug 23132 - xdg-utils new security issue CVE-2017-18266
Summary: xdg-utils new security issue CVE-2017-18266
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 6
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA6-64-OK
Keywords: advisory, has_procedure, validated_update
Depends on:
Blocks:
 
Reported: 2018-06-07 20:44 CEST by David Walser
Modified: 2018-06-20 01:43 CEST (History)
5 users (show)

See Also:
Source RPM: xdg-utils-1.1.2-1.1.mga6.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2018-06-07 20:44:02 CEST
Fedora has issued an advisory on May 17:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/ZECHRCR6RWTX46ANDPIAXPMHZ2EOHNJB/

The issue is fixed upstream in 1.1.3.

Mageia 5 is also affected.

The RedHat bug has links to the upstream commit to fix it and bug report:
https://bugzilla.redhat.com/show_bug.cgi?id=1578767
David Walser 2018-06-07 20:44:20 CEST

CC: (none) => jani.valimaa, shlomif

Comment 1 David Walser 2018-06-07 22:08:16 CEST
Note that they followed up with a regression fix on May 30:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/7OOOVBRZM3RYFISCO5UONJIXTBMKONYF/
Comment 2 Jani Välimaa 2018-06-08 17:33:10 CEST
Pushed xdg-utils-1.1.3-1 to mga6 core/updates_testing.

Assignee: bugsquad => qa-bugs

Comment 3 David Walser 2018-06-08 18:33:44 CEST
Advisory:
========================

Updated xdg-utils package fixes security vulnerability:

The open_envvar function in xdg-open in xdg-utils before 1.1.3 does not validate
strings before launching the program specified by the BROWSER environment
variable, which might allow remote attackers to conduct argument-injection
attacks via a crafted URL, as demonstrated by %s in this environment variable
(CVE-2017-18266).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18266
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/ZECHRCR6RWTX46ANDPIAXPMHZ2EOHNJB/
========================

Updated packages in core/updates_testing:
========================
xdg-utils-1.1.3-1.mga6

from xdg-utils-1.1.3-1.mga6.src.rpm
Comment 4 Herman Viaene 2018-06-11 15:53:23 CEST
MGA6-32 on IBM Thinkpad R50e MATE
No installation issues.
Ref to bug 14932 Comment 16
Giving this command at CLI 
$ xdg-open 'http://127.0.0.1/$(xterm)'
results in a new tabblad in Firefox with "error 404"
but
$ xdg-open 'http://127.0.0.1/$%(xterm)'
as in the same comment results in error 400
I let people with more understanding judge this issue.

CC: (none) => herman.viaene

Comment 5 Len Lawrence 2018-06-13 18:50:57 CEST
CVE-2017-18266
https://bugs.freedesktop.org/show_bug.cgi?id=103807

$ BROWSER="firefox %s" xdg-open "http://www.example.com/ --incognito"
This shows a yellow page with a report of an XML error.
'http://www.example.com/%20--incognito' in the address bar.
Not possible to say whether this page is being opened at the given URL or locally.
$ BROWSER="firefox %s" xdg-open "http://www.example.com/ --proxy-pac-url=http://dangerous.example.com/proxy.pac"
Similar response.

Clean update.
The behaviour is the same for the first example above, so, in agreement with Herman I shall leave the interpretation to others.  The older PoC gave the same results as in comment 4.

Utilities available: man or --help for more information.
* xdg-desktop-icon Install icons to the desktop
* xdg-desktop-menu Install desktop menu items
* xdg-email Send mail using the user's preferred e-mail composer
* xdg-icon-resource Install icon resources
* xdg-mime Query information about file type handling and install descriptions for new file types
* xdg-open Open a file or URL in the user's preferred application
* xdg-screensaver Control the screensaver
* xdg-settings Get various settings from the desktop environment

$ xdg-email --cc tarazed25@gmail.com --subject "xdg-utils testing" --body "Can you hear me Muther
> I say, can you hear me Muther?" <...@....>.com

This popped up a mail composer window in thunderbird with the specified fields filled in, message ready to be sent.

Fiddled with the desktop and icon install stuff but got nowhere with those.

$ xdg-open http://exoplanet.eu
No problem with that.

$ xdg-settings get default-web-browser
userapp-Firefox-2P2D6X.desktop

Installed iceape but did no configuration.
$ BROWSER=/usr/bin/iceape xdg-open http://exoplanet.eu
The site came up OK in iceape but there were backend errors reported and entreaties to run mozplugger-update.  Ignored those.

This package obviously requires more background knowledge for effective operation but on the face of it seems to be working.

CC: (none) => tarazed25

Len Lawrence 2018-06-15 19:39:48 CEST

Whiteboard: (none) => MGA6-64-OK

David Walser 2018-06-17 18:28:57 CEST

Component: RPM Packages => Security
QA Contact: (none) => security

Comment 6 claire robinson 2018-06-19 21:39:32 CEST
Advisoried. Validating.

Keywords: (none) => advisory, has_procedure, validated_update
CC: (none) => sysadmin-bugs

Comment 7 Mageia Robot 2018-06-20 01:43:27 CEST
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2018-0289.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED


Note You need to log in before you can comment on or make changes to this bug.