Re: Wheezy update of xdg-utils?
Hi,
I've prepared an update of the xdg-utils package for Debian Wheezy.
It's available in Git packaging repository[1]. Please review it and, if
everything is okay, upload to archive.
[1]:
https://salsa.debian.org/freedesktop-team/xdg-utils/commit/1456c94f6ce507e461033b8f0fd4b50097fc1058
diff -Nru xdg-utils-1.1.0~rc1+git20111210/debian/changelog xdg-utils-1.1.0~rc1+git20111210/debian/changelog
--- xdg-utils-1.1.0~rc1+git20111210/debian/changelog 2015-02-22 06:34:40.000000000 +0300
+++ xdg-utils-1.1.0~rc1+git20111210/debian/changelog 2018-05-20 23:57:07.000000000 +0300
@@ -1,3 +1,10 @@
+xdg-utils (1.1.0~rc1+git20111210-6+deb7u4) wheezy-security; urgency=high
+
+ * Fix CVE-2017-18266, closes: #898317.
+ - Avoid argument injection vulnerability in open_generic.
+
+ -- Nicholas Guriev <guriev-ns@ya.ru> Sun, 20 May 2018 23:55:55 +0300
+
xdg-utils (1.1.0~rc1+git20111210-6+deb7u3) stable-security; urgency=high
* Non-maintainer upload by the Security Team.
diff -Nru xdg-utils-1.1.0~rc1+git20111210/debian/patches/CVE-2017-18266.patch xdg-utils-1.1.0~rc1+git20111210/debian/patches/CVE-2017-18266.patch
--- xdg-utils-1.1.0~rc1+git20111210/debian/patches/CVE-2017-18266.patch 1970-01-01 03:00:00.000000000 +0300
+++ xdg-utils-1.1.0~rc1+git20111210/debian/patches/CVE-2017-18266.patch 2018-05-20 23:53:10.000000000 +0300
@@ -0,0 +1,44 @@
+Description: Fix argument injection when browser is launched
+Author: Nicholas Guriev <guriev-ns@ya.ru>
+Bug: https://bugs.freedesktop.org/show_bug.cgi?id=103807
+Bug-Debian: https://bugs.debian.org/898317
+Bug-Ubuntu: https://bugs.launchpad.net/bugs/1772295
+Last-Update: Sun, 20 May 2018 22:41:54 +0300
+
+--- a/scripts/xdg-open.in
++++ b/scripts/xdg-open.in
+@@ -233,6 +233,7 @@ open_generic()
+ open_generic_xdg_x_scheme_handler "$1"
+ fi
+
++ local url="$1"
+ OLDIFS="$IFS"
+ IFS=":"
+ for browser in $BROWSER; do
+@@ -249,9 +250,15 @@ open_generic()
+ redirect_output="$xdg_redirect_output"
+ fi
+
++ shift $#
++ for element in $browser; do
++ set -- "$@" "$(printf -- "$element" "$url")"
++ done
++
+ if [ x"$browser_with_arg" = x"$browser" ]; then
+- eval '$browser $1'$redirect_output;
+- else eval '$browser_with_arg'$redirect_output;
++ eval '$browser "$url"'$redirect_output
++ else
++ eval '"$@"'$redirect_output
+ fi
+
+ if [ $? -eq 0 ]; then
+@@ -260,7 +267,7 @@ open_generic()
+ fi
+ done
+
+- exit_failure_operation_impossible "no method available for opening '$1'"
++ exit_failure_operation_impossible "no method available for opening '$url'"
+ }
+
+ open_lxde()
diff -Nru xdg-utils-1.1.0~rc1+git20111210/debian/patches/series xdg-utils-1.1.0~rc1+git20111210/debian/patches/series
--- xdg-utils-1.1.0~rc1+git20111210/debian/patches/series 2015-02-22 06:29:51.000000000 +0300
+++ xdg-utils-1.1.0~rc1+git20111210/debian/patches/series 2018-05-20 23:53:51.000000000 +0300
@@ -10,3 +10,4 @@
command-injection.patch
xdg-open-safe.diff
CVE-2015-1877.patch
+CVE-2017-18266.patch
Reply to: