Bug 28904 - thunar new security issue CVE-2021-32563
Summary: thunar new security issue CVE-2021-32563
Status: NEW
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 8
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard:
Keywords: feedback
Depends on:
Blocks:
 
Reported: 2021-05-11 11:56 CEST by Nicolas Salguero
Modified: 2021-06-03 20:30 CEST (History)
4 users (show)

See Also:
Source RPM: thunar-4.16.2-1.mga8.src.rpm
CVE: CVE-2021-32563
Status comment:


Attachments

Description Nicolas Salguero 2021-05-11 11:56:12 CEST
Hi,

When called with a regular file as command line argument, Thunar would delegate to some other program without user confirmation based on the file type. This could be exploited to trigger code execution in a chain of vulnerabilities.

This is fixed in 4.16.8.

References:
https://www.openwall.com/lists/oss-security/2021/05/09/2
https://www.openwall.com/lists/oss-security/2021/05/11/3

Best regards,

Nico.
Nicolas Salguero 2021-05-11 11:57:23 CEST

CVE: (none) => CVE-2021-32563
Source RPM: (none) => thunar-4.16.2-1.mga8.src.rpm
Status comment: (none) => Fixed upstream in version 4.16.8

Comment 1 Nicolas Lécureuil 2021-05-11 17:16:54 CEST
fixed in svn

src:
    - thunar-4.16.2-1.1.mga8

CC: (none) => mageia
Assignee: bugsquad => qa-bugs
Status comment: Fixed upstream in version 4.16.8 => (none)

Comment 2 Aurelien Oudelet 2021-05-11 18:22:48 CEST
Advisory:
========================

Updated thunar packages fix a security vulnerability:

An issue was discovered in Thunar before 4.16.7 and 4.17.x before 4.17.2.
When called with a regular file as a command-line argument, it delegates to
a different program (based on the file type) without user confirmation.
This could be used to achieve code execution (CVE-2021-32563).

References:
 - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-32563
 - https://www.openwall.com/lists/oss-security/2021/05/09/2
 - https://www.openwall.com/lists/oss-security/2021/05/11/3
========================

Updated packages in core/updates_testing:
========================
lib(64)thunarx-devel-4.16.2-1.1.mga8
lib(64)thunarx-gir3.0-4.16.2-1.1.mga8
lib(64)thunarx3_0-4.16.2-1.1.mga8
thunar-4.16.2-1.1.mga8

from SRPM:
thunar-4.16.2-1.1.mga8.src.rpm

CC: (none) => ouaurelien

Comment 3 Brian Rockwell 2021-05-13 14:49:18 CEST
I must be testing it wrong


before

$ thunar -V
thunar 4.16.2 (Xfce 4.16)


$ thunar hatched.odt  

the file opens with libreoffice

-----------

installed

The following 2 packages are going to be installed:

- lib64thunarx3_0-4.16.2-1.1.mga8.x86_64
- thunar-4.16.2-1.1.mga8.x86_64


after

$ thunar -V
thunar 4.16.2 (Xfce 4.16)


$ thunar hatched.odt

the file is opened with libreoffice again

CC: (none) => brtians1

Aurelien Oudelet 2021-05-22 18:42:51 CEST

Keywords: (none) => feedback

Comment 4 Guillaume Royer 2021-06-03 20:30:39 CEST
MGA 8 XFCE 64

Before update Thunar worked well.

Update Thunar with QA repo and:

- lib64thunarx3_0-4.16.2-1.1.mga8.x86_64
- thunar-4.16.2-1.1.mga8.x86_64

After update Thunar is ok, Navigation Ok, Open files Ok

CC: (none) => guillaume.royer


Note You need to log in before you can comment on or make changes to this bug.