Bug 27688 - xdg-utils new security issue CVE-2020-27748
Summary: xdg-utils new security issue CVE-2020-27748
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 7
Hardware: All Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA7-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2020-11-29 17:18 CET by David Walser
Modified: 2021-04-16 13:26 CEST (History)
4 users (show)

See Also:
Source RPM: xdg-utils-1.1.3-3.mga7
CVE:
Status comment:


Attachments

Description David Walser 2020-11-29 17:18:00 CET
Ubuntu has issued an advisory on November 26:
https://ubuntu.com/security/notices/USN-4649-1

Mageia 7 is also affected.
David Walser 2020-11-29 17:18:06 CET

Whiteboard: (none) => MGA7TOO

Comment 1 Jani Välimaa 2020-11-29 19:09:17 CET
Fixed in current cauldron with xdg-utils-1.1.3-5.mga8.

Whiteboard: MGA7TOO => (none)
Version: Cauldron => 7
Source RPM: xdg-utils-1.1.3-4.mga8.src.rpm => xdg-utils-1.1.3-3.mga7
CC: (none) => jani.valimaa

Comment 2 Jani Välimaa 2020-11-29 19:10:35 CET
Pushed fixed xdg-utils-1.1.3-3.1.mga7 to core/updates_testing for mga7, please test.

SRPMS/RPMS:
xdg-utils-1.1.3-3.1.mga7

Assignee: bugsquad => qa-bugs

Comment 3 David Walser 2020-11-29 19:17:52 CET
Advisory:
========================

Updated xdg-utils package fixes security vulnerability:

Jens Mueller discovered that xdg-utils incorrectly handled certain URI. An
attacker could possibly use this issue to expose sensitive information
(CVE-2020-27748).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-27748
https://ubuntu.com/security/notices/USN-4649-1
Comment 4 Herman Viaene 2020-11-30 14:34:28 CET
MGA7-64 MATE on Peaq C1011
No installation issues. This didn't draw in any dependencies.
Ref bugs 21992 for tests (which is a mixed bag.....)
$ xdg-open librepo.txt 
opens the file with Pluma: OK
$ xdg-open dora.pcapng 
Opens the filke with wireshark OK.
Listed which xdg commands are available
xdg-autostart             xdg-desktop-menu          xdg_menu                  xdg-screensaver           xdg-user-dirs-gtk-update
xdg-dbus-proxy            xdg-email                 xdg-mime                  xdg-settings              xdg-user-dirs-update
xdg-desktop-icon          xdg-icon-resource         xdg-open                  xdg-user-dir    

Picked xdg_menu
and got
$ xdg_menu 
WARNING: '/etc/xdg/kde/menus/kde-settings.menu' does not exist
WARNING: '/etc/xdg/menus/kde-information.menu' does not exist
WARNING: '/etc/xdg/kde/menus/kde-settings.menu' does not exist
WARNING: '/etc/xdg/menus/applications-kmenuedit.menu' does not exist
Unknown 'Layout':
        'HASH(0xfe3db8) 0 
     Menuname ARRAY(0xffd0e8) 0 
     Menuname ARRAY(0xffd358) 0 
     Menuname ARRAY(0xffd238) 0 
     Menuname ARRAY(0xffd628) 0 
     Menuname ARRAY(0xffd718) 0 
     Menuname ARRAY(0xffd808) 0 
     Menuname ARRAY(0xffd8f8) 0 
     Menuname ARRAY(0xffd9e8) 0 
     Menuname ARRAY(0xffdad8) 0 
     Menuname ARRAY(0xffdbc8) 0 
     Merge ARRAY(0xffdcb8) 0 
     Merge ARRAY(0xffdd78) 0 
     Separator ARRAY(0xffddf0) 0 
     Filename ARRAY(0xffde98) 0 
and a lot more of those. FYI: there is no kde on this notebook. Are there things missing to make this useful???

$ xdg-settings
xdg-settings: no operation given
Try 'xdg-settings --help' for more information.
[tester7@mach6 Documents]$ xdg-settings --help
   xdg-settings -- get various settings from the desktop
   environment

Synopsis

   xdg-settings { get | check | set } {property} [subproperty] I
   [value]

   xdg-settings { --help | --list | --manual | --version }

Use 'man xdg-settings' or 'xdg-settings --manual' for additional info.
No time to study this thing.

Ref Len's test in bug23132 I did
$ xdg-email --cc hviaene@gmail.com --subject "xdg-utils testing" --body "Can you hear me Muther?"
And that indeed opened Thunderbird with the specified fields correctly filled in, ready to be sent.
Similar 
$ xdg-open http://exoplanet.eu
opened the site on a new tab in firefox
From what I can see, good to go.

CC: (none) => herman.viaene
Whiteboard: (none) => MGA7-64-OK

Comment 5 Aurelien Oudelet 2020-12-01 10:22:25 CET
Validating update
Advisory pushed to SVN.

Keywords: (none) => advisory, validated_update
CC: (none) => ouaurelien, sysadmin-bugs

Comment 6 Mageia Robot 2020-12-03 10:56:06 CET
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2020-0446.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED

Aurelien Oudelet 2021-04-16 13:20:43 CEST

Blocks: (none) => 28788

Aurelien Oudelet 2021-04-16 13:26:14 CEST

Blocks: 28788 => (none)


Note You need to log in before you can comment on or make changes to this bug.