Bug 429513 (CVE-2008-0386) - CVE-2008-0386 xdg-open allows to execute arbitrary commands
Summary: CVE-2008-0386 xdg-open allows to execute arbitrary commands
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: CVE-2008-0386
Product: Fedora
Classification: Fedora
Component: xdg-utils
Version: 8
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Rex Dieter
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: impact=moderate,source=redhat,reporte...
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2008-01-21 09:42 UTC by Miroslav Lichvar
Modified: 2008-01-26 19:05 UTC (History)
2 users (show)

Fixed In Version: 1.0.2-4.fc7
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2008-01-26 06:44:53 UTC
Type: ---


Attachments (Terms of Use)

Description Miroslav Lichvar 2008-01-21 09:42:15 UTC
Description of problem:
The generic handler of xdg-open (i.e. when not running in KDE, GNOME or XFCE)
has the following code:

  browser_with_arg=`echo "$browser" | sed s#%s#"$1"#`

  if [ x"$browser_with_arg" = x"$browser" ]; then "$browser" "$1";
    else $browser_with_arg;
  fi

sed interprets any commands in the argument and the result is executed by the
script.

Version-Release number of selected component (if applicable):
xdg-utils-1.0.2-2.fc8

How reproducible:
Always

Steps to Reproduce:
1. uninstall perl-File-MimeInfo package (not necessary with xdg-utils-1.0.2-3)
2. start plain X session
3. xdg-open 'http://foo.org/bar#;g;sx$xtouch:foox'
  
Actual results:
File foo created.

Expected results:
The page opened in a web browser.

Additional info:

Comment 1 Lubomir Kundrak 2008-01-21 09:56:20 UTC
I proposed an un-embargo date of Monday 28th.

Rex: Would it be possible to make a fix until then. Please do not commit a fix
publicly until then. Also, I was not able to find a way to communicate a
security sensitive information to upstream. Could you please assist with it?

Comment 2 Miroslav Lichvar 2008-01-21 11:43:46 UTC
xdg-email from the package has the same problem.

Comment 3 Lubomir Kundrak 2008-01-21 16:34:27 UTC
From upstream:

A quick test showed that instead of the problematic sed command this should 
work as well

browser_with_arg=${browser//'%s'/"$1"}

However I have only tested this with /bin/sh being a symlink to /bin/bash, so 
it will still need testing for other shells.

Comment 4 Lubomir Kundrak 2008-01-22 18:45:28 UTC
Have anyone of you looked if this only affects Fedora 8?

Comment 5 Rex Dieter 2008-01-22 18:57:29 UTC
I'm pretty sure this issue is valid pretty much everywhere xdg-utils is
deployed, currently all supported fedora and epel releases.

Comment 8 Fedora Update System 2008-01-26 06:44:51 UTC
xdg-utils-1.0.2-4.fc7 has been pushed to the Fedora 7 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 9 Fedora Update System 2008-01-26 06:44:57 UTC
xdg-utils-1.0.2-4.fc8 has been pushed to the Fedora 8 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 10 Michal Jaegermann 2008-01-26 19:05:30 UTC
By the same token another use of sed in xdg-open can be eliminated.
Like this:

kfmclient_fix_exit_code()
{
    test "$2" = "KDE:" || return 1
    release="$3"
    release="${release%%[^0-9.]*}"
    major=${release%%.*}
    release=${release#$major.}
    minor=${release%%.*}
    release=${release#$minor.}
    test "$major" -gt 3 && return $1
    test "$minor" -gt 5 && return $1
    test "$release" -gt 4 && return $1
    return 0
}

and call it with

    kfmclient_fix_exit_code $? `kde-config --version 2>/dev/null | grep KDE`



Note You need to log in before you can comment on or make changes to this bug.