Red Hat Bugzilla – Bug 429513
CVE-2008-0386 xdg-open allows to execute arbitrary commands
Last modified: 2008-01-26 14:05:30 EST
Description of problem:
The generic handler of xdg-open (i.e. when not running in KDE, GNOME or XFCE)
has the following code:
browser_with_arg=`echo "$browser" | sed s#%s#"$1"#`
if [ x"$browser_with_arg" = x"$browser" ]; then "$browser" "$1";
sed interprets any commands in the argument and the result is executed by the
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. uninstall perl-File-MimeInfo package (not necessary with xdg-utils-1.0.2-3)
2. start plain X session
3. xdg-open 'http://foo.org/bar#;g;sx$xtouch:foox'
File foo created.
The page opened in a web browser.
I proposed an un-embargo date of Monday 28th.
Rex: Would it be possible to make a fix until then. Please do not commit a fix
publicly until then. Also, I was not able to find a way to communicate a
security sensitive information to upstream. Could you please assist with it?
xdg-email from the package has the same problem.
A quick test showed that instead of the problematic sed command this should
work as well
However I have only tested this with /bin/sh being a symlink to /bin/bash, so
it will still need testing for other shells.
Have anyone of you looked if this only affects Fedora 8?
I'm pretty sure this issue is valid pretty much everywhere xdg-utils is
deployed, currently all supported fedora and epel releases.
This is public now:
Patch is in CVS and building now.
xdg-utils-1.0.2-4.fc7 has been pushed to the Fedora 7 stable repository. If problems still persist, please make note of it in this bug report.
xdg-utils-1.0.2-4.fc8 has been pushed to the Fedora 8 stable repository. If problems still persist, please make note of it in this bug report.
By the same token another use of sed in xdg-open can be eliminated.
test "$2" = "KDE:" || return 1
test "$major" -gt 3 && return $1
test "$minor" -gt 5 && return $1
test "$release" -gt 4 && return $1
and call it with
kfmclient_fix_exit_code $? `kde-config --version 2>/dev/null | grep KDE`