Hi, When called with a regular file as command line argument, Thunar would delegate to some other program without user confirmation based on the file type. This could be exploited to trigger code execution in a chain of vulnerabilities. This is fixed in 4.16.8. References: https://www.openwall.com/lists/oss-security/2021/05/09/2 https://www.openwall.com/lists/oss-security/2021/05/11/3 Best regards, Nico.
Source RPM: (none) => thunar-4.16.2-1.mga8.src.rpmStatus comment: (none) => Fixed upstream in version 4.16.8CVE: (none) => CVE-2021-32563
fixed in svn src: - thunar-4.16.2-1.1.mga8
Assignee: bugsquad => qa-bugsStatus comment: Fixed upstream in version 4.16.8 => (none)CC: (none) => mageia
Advisory: ======================== Updated thunar packages fix a security vulnerability: An issue was discovered in Thunar before 4.16.7 and 4.17.x before 4.17.2. When called with a regular file as a command-line argument, it delegates to a different program (based on the file type) without user confirmation. This could be used to achieve code execution (CVE-2021-32563). References: - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-32563 - https://www.openwall.com/lists/oss-security/2021/05/09/2 - https://www.openwall.com/lists/oss-security/2021/05/11/3 ======================== Updated packages in core/updates_testing: ======================== lib(64)thunarx-devel-4.16.2-1.1.mga8 lib(64)thunarx-gir3.0-4.16.2-1.1.mga8 lib(64)thunarx3_0-4.16.2-1.1.mga8 thunar-4.16.2-1.1.mga8 from SRPM: thunar-4.16.2-1.1.mga8.src.rpm
CC: (none) => ouaurelien
I must be testing it wrong before $ thunar -V thunar 4.16.2 (Xfce 4.16) $ thunar hatched.odt the file opens with libreoffice ----------- installed The following 2 packages are going to be installed: - lib64thunarx3_0-4.16.2-1.1.mga8.x86_64 - thunar-4.16.2-1.1.mga8.x86_64 after $ thunar -V thunar 4.16.2 (Xfce 4.16) $ thunar hatched.odt the file is opened with libreoffice again
CC: (none) => brtians1
Keywords: (none) => feedback
MGA 8 XFCE 64 Before update Thunar worked well. Update Thunar with QA repo and: - lib64thunarx3_0-4.16.2-1.1.mga8.x86_64 - thunar-4.16.2-1.1.mga8.x86_64 After update Thunar is ok, Navigation Ok, Open files Ok
CC: (none) => guillaume.royer
Let's try a full update to 4.16.8, which contains the fixes. thunar-4.16.8-1.mga8 libthunarx-devel-4.16.8-1.mga8 libthunarx3_0-4.16.8-1.mga8 libthunarx-gir3.0-4.16.8-1.mga8 from thunar-4.16.8-1.mga8.src.rpm
Keywords: feedback => (none)
$ uname -a Linux localhost.localdomain 5.10.46-desktop-1.mga8 #1 SMP Thu Jun 24 14:33:54 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux The following 4 packages are going to be installed: - glibc-2.32-16.mga8.x86_64 - glibc-devel-2.32-16.mga8.x86_64 - lib64thunarx3_0-4.16.8-1.mga8.x86_64 - thunar-4.16.8-1.mga8.x86_64 --- I rebooted $ thunar -V thunar 4.16.8 (Xfce 4.16) Copyright (c) 2004-2020 The Thunar development team. All rights reserved. Written by Benedikt Meurer <benny@xfce.org>. Please report bugs to <https://gitlab.xfce.org/xfce/thunar>. now when I run thunar against a file, it just opens thunar in the current folder. $ thunar thunar41681.txt It does not execute a program This is now fixed!
Whiteboard: (none) => MGA8-64-OK
Validating. The advisory in Comment 2 should work, as long as the srpm information from Comment 5 is used.
Keywords: (none) => validated_updateCC: (none) => andrewsfarm, sysadmin-bugs
(In reply to Thomas Andrews from comment #7) > Validating. The advisory in Comment 2 should work, as long as the srpm > information from Comment 5 is used. Yeah.
Keywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2021-0306.html
Status: NEW => RESOLVEDResolution: (none) => FIXED