Fedora Account System
Red Hat Associate
Red Hat Customer
boxes.c in nip2 8.4.0 does not validate strings before launching the program specified by the BROWSER environment variable, which might allow remote attackers to conduct argument-injection attacks via a crafted URL. References: https://security-tracker.debian.org/tracker/CVE-2017-17514
Created nip2 tracking bugs for this issue: Affects: fedora-all [bug 1526162]
The url argument to box_url() never comes from an untrusted source, so I don't think this CVE is valid. Upstream doesn't either. Whoever created the CVE didn't post a report or notify upstream, so it's not clear what attack vector they had in mind. https://fedoraproject.org/wiki/Security_Bugs doesn't say what to do in this case; should I close the bugs NOTABUG?
There's been no movement here. Closing per comment 2.