Bug 429513 - (CVE-2008-0386) CVE-2008-0386 xdg-open allows to execute arbitrary commands
CVE-2008-0386 xdg-open allows to execute arbitrary commands
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: xdg-utils (Show other bugs)
8
All Linux
low Severity low
: ---
: ---
Assigned To: Rex Dieter
Fedora Extras Quality Assurance
impact=moderate,source=redhat,reporte...
: Security
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2008-01-21 04:42 EST by Miroslav Lichvar
Modified: 2008-01-26 14:05 EST (History)
2 users (show)

See Also:
Fixed In Version: 1.0.2-4.fc7
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-01-26 01:44:53 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Miroslav Lichvar 2008-01-21 04:42:15 EST
Description of problem:
The generic handler of xdg-open (i.e. when not running in KDE, GNOME or XFCE)
has the following code:

  browser_with_arg=`echo "$browser" | sed s#%s#"$1"#`

  if [ x"$browser_with_arg" = x"$browser" ]; then "$browser" "$1";
    else $browser_with_arg;
  fi

sed interprets any commands in the argument and the result is executed by the
script.

Version-Release number of selected component (if applicable):
xdg-utils-1.0.2-2.fc8

How reproducible:
Always

Steps to Reproduce:
1. uninstall perl-File-MimeInfo package (not necessary with xdg-utils-1.0.2-3)
2. start plain X session
3. xdg-open 'http://foo.org/bar#;g;sx$xtouch:foox'
  
Actual results:
File foo created.

Expected results:
The page opened in a web browser.

Additional info:
Comment 1 Lubomir Kundrak 2008-01-21 04:56:20 EST
I proposed an un-embargo date of Monday 28th.

Rex: Would it be possible to make a fix until then. Please do not commit a fix
publicly until then. Also, I was not able to find a way to communicate a
security sensitive information to upstream. Could you please assist with it?
Comment 2 Miroslav Lichvar 2008-01-21 06:43:46 EST
xdg-email from the package has the same problem.
Comment 3 Lubomir Kundrak 2008-01-21 11:34:27 EST
From upstream:

A quick test showed that instead of the problematic sed command this should 
work as well

browser_with_arg=${browser//'%s'/"$1"}

However I have only tested this with /bin/sh being a symlink to /bin/bash, so 
it will still need testing for other shells.
Comment 4 Lubomir Kundrak 2008-01-22 13:45:28 EST
Have anyone of you looked if this only affects Fedora 8?
Comment 5 Rex Dieter 2008-01-22 13:57:29 EST
I'm pretty sure this issue is valid pretty much everywhere xdg-utils is
deployed, currently all supported fedora and epel releases.
Comment 8 Fedora Update System 2008-01-26 01:44:51 EST
xdg-utils-1.0.2-4.fc7 has been pushed to the Fedora 7 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 9 Fedora Update System 2008-01-26 01:44:57 EST
xdg-utils-1.0.2-4.fc8 has been pushed to the Fedora 8 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 10 Michal Jaegermann 2008-01-26 14:05:30 EST
By the same token another use of sed in xdg-open can be eliminated.
Like this:

kfmclient_fix_exit_code()
{
    test "$2" = "KDE:" || return 1
    release="$3"
    release="${release%%[^0-9.]*}"
    major=${release%%.*}
    release=${release#$major.}
    minor=${release%%.*}
    release=${release#$minor.}
    test "$major" -gt 3 && return $1
    test "$minor" -gt 5 && return $1
    test "$release" -gt 4 && return $1
    return 0
}

and call it with

    kfmclient_fix_exit_code $? `kde-config --version 2>/dev/null | grep KDE`

Note You need to log in before you can comment on or make changes to this bug.