Bug 429513 (CVE-2008-0386)
Summary: | CVE-2008-0386 xdg-open allows to execute arbitrary commands | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Miroslav Lichvar <mlichvar> |
Component: | xdg-utils | Assignee: | Rex Dieter <rdieter> |
Status: | CLOSED CURRENTRELEASE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | low | Docs Contact: | |
Priority: | low | ||
Version: | 8 | CC: | rbu, security-response-team |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | impact=moderate,source=redhat,reported=20080121,public=20080128 | ||
Fixed In Version: | 1.0.2-4.fc7 | Doc Type: | Bug Fix |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2008-01-26 06:44:53 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Miroslav Lichvar
2008-01-21 09:42:15 UTC
I proposed an un-embargo date of Monday 28th. Rex: Would it be possible to make a fix until then. Please do not commit a fix publicly until then. Also, I was not able to find a way to communicate a security sensitive information to upstream. Could you please assist with it? xdg-email from the package has the same problem. From upstream: A quick test showed that instead of the problematic sed command this should work as well browser_with_arg=${browser//'%s'/"$1"} However I have only tested this with /bin/sh being a symlink to /bin/bash, so it will still need testing for other shells. Have anyone of you looked if this only affects Fedora 8? I'm pretty sure this issue is valid pretty much everywhere xdg-utils is deployed, currently all supported fedora and epel releases. This is public now: http://webcvs.freedesktop.org/portland/portland/xdg-utils/scripts/xdg-open.in?r1=1.17&r2=1.18 http://webcvs.freedesktop.org/portland/portland/xdg-utils/scripts/xdg-open?r1=1.32&r2=1.33 http://webcvs.freedesktop.org/portland/portland/xdg-utils/scripts/xdg-email.in?r1=1.24&r2=1.25 http://webcvs.freedesktop.org/portland/portland/xdg-utils/scripts/xdg-email?r1=1.36&r2=1.37 Patch is in CVS and building now. https://admin.fedoraproject.org/updates/F8/pending/xdg-utils-1.0.2-4.fc8 https://admin.fedoraproject.org/updates/F7/pending/xdg-utils-1.0.2-4.fc7 xdg-utils-1.0.2-4.fc7 has been pushed to the Fedora 7 stable repository. If problems still persist, please make note of it in this bug report. xdg-utils-1.0.2-4.fc8 has been pushed to the Fedora 8 stable repository. If problems still persist, please make note of it in this bug report. By the same token another use of sed in xdg-open can be eliminated. Like this: kfmclient_fix_exit_code() { test "$2" = "KDE:" || return 1 release="$3" release="${release%%[^0-9.]*}" major=${release%%.*} release=${release#$major.} minor=${release%%.*} release=${release#$minor.} test "$major" -gt 3 && return $1 test "$minor" -gt 5 && return $1 test "$release" -gt 4 && return $1 return 0 } and call it with kfmclient_fix_exit_code $? `kde-config --version 2>/dev/null | grep KDE` |