backends/platform/sdl/posix/posix.cpp in ScummVM 1.9.0 does not validate strings before launching the program specified by the BROWSER environment variable, which might allow remote attackers to conduct argument-injection attacks via a crafted URL. References: https://security-tracker.debian.org/tracker/CVE-2017-17528 https://bugzilla.novell.com/show_bug.cgi?id=1073248
Created scummvm tracking bugs for this issue: Affects: fedora-all [bug 1528426]
scummvm-2.0.0-1.fc28, scummvm-tools-2.0.0-1.fc28 has been pushed to the Fedora 28 stable repository. If problems still persist, please make note of it in this bug report.
scummvm-2.0.0-1.fc27, scummvm-tools-2.0.0-1.fc27 has been pushed to the Fedora 27 stable repository. If problems still persist, please make note of it in this bug report.
This CVE Bugzilla entry is for community support informational purposes only as it does not affect a package in a commercially supported Red Hat product. Refer to the dependent bugs for status of those individual community products.