Bug 429513 (CVE-2008-0386)
| Summary: | CVE-2008-0386 xdg-open allows to execute arbitrary commands | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Miroslav Lichvar <mlichvar> |
| Component: | xdg-utils | Assignee: | Rex Dieter <rdieter> |
| Status: | CLOSED CURRENTRELEASE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | low | Docs Contact: | |
| Priority: | low | ||
| Version: | 8 | CC: | rbu, security-response-team |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | impact=moderate,source=redhat,reported=20080121,public=20080128 | ||
| Fixed In Version: | 1.0.2-4.fc7 | Doc Type: | Bug Fix |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2008-01-26 06:44:53 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
I proposed an un-embargo date of Monday 28th. Rex: Would it be possible to make a fix until then. Please do not commit a fix publicly until then. Also, I was not able to find a way to communicate a security sensitive information to upstream. Could you please assist with it? xdg-email from the package has the same problem. From upstream:
A quick test showed that instead of the problematic sed command this should
work as well
browser_with_arg=${browser//'%s'/"$1"}
However I have only tested this with /bin/sh being a symlink to /bin/bash, so
it will still need testing for other shells.
Have anyone of you looked if this only affects Fedora 8? I'm pretty sure this issue is valid pretty much everywhere xdg-utils is deployed, currently all supported fedora and epel releases. This is public now: http://webcvs.freedesktop.org/portland/portland/xdg-utils/scripts/xdg-open.in?r1=1.17&r2=1.18 http://webcvs.freedesktop.org/portland/portland/xdg-utils/scripts/xdg-open?r1=1.32&r2=1.33 http://webcvs.freedesktop.org/portland/portland/xdg-utils/scripts/xdg-email.in?r1=1.24&r2=1.25 http://webcvs.freedesktop.org/portland/portland/xdg-utils/scripts/xdg-email?r1=1.36&r2=1.37 Patch is in CVS and building now. https://admin.fedoraproject.org/updates/F8/pending/xdg-utils-1.0.2-4.fc8 https://admin.fedoraproject.org/updates/F7/pending/xdg-utils-1.0.2-4.fc7 xdg-utils-1.0.2-4.fc7 has been pushed to the Fedora 7 stable repository. If problems still persist, please make note of it in this bug report. xdg-utils-1.0.2-4.fc8 has been pushed to the Fedora 8 stable repository. If problems still persist, please make note of it in this bug report. By the same token another use of sed in xdg-open can be eliminated.
Like this:
kfmclient_fix_exit_code()
{
test "$2" = "KDE:" || return 1
release="$3"
release="${release%%[^0-9.]*}"
major=${release%%.*}
release=${release#$major.}
minor=${release%%.*}
release=${release#$minor.}
test "$major" -gt 3 && return $1
test "$minor" -gt 5 && return $1
test "$release" -gt 4 && return $1
return 0
}
and call it with
kfmclient_fix_exit_code $? `kde-config --version 2>/dev/null | grep KDE`
|
Description of problem: The generic handler of xdg-open (i.e. when not running in KDE, GNOME or XFCE) has the following code: browser_with_arg=`echo "$browser" | sed s#%s#"$1"#` if [ x"$browser_with_arg" = x"$browser" ]; then "$browser" "$1"; else $browser_with_arg; fi sed interprets any commands in the argument and the result is executed by the script. Version-Release number of selected component (if applicable): xdg-utils-1.0.2-2.fc8 How reproducible: Always Steps to Reproduce: 1. uninstall perl-File-MimeInfo package (not necessary with xdg-utils-1.0.2-3) 2. start plain X session 3. xdg-open 'http://foo.org/bar#;g;sx$xtouch:foox' Actual results: File foo created. Expected results: The page opened in a web browser. Additional info: