Re: Wheezy update of xdg-utils?
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Hello.
On Thursday 24 May 2018 08:06 AM, Abhijith PA wrote:
> Hi
>
> On Wednesday 23 May 2018 11:51 PM, Коля Гурьев wrote:
>> Hi,
>>
>> I've prepared an update of the xdg-utils package for Debian
>> Wheezy. It's available in Git packaging repository[1]. Please
>> review it and, if everything is okay, upload to archive.
>>
>> [1]:
>> https://salsa.debian.org/freedesktop-team/xdg-utils/commit/1456c94f6c
e507e461033b8f0fd4b50097fc1058
>>
>
>>
> Cool. I will review the patch. The correct link seems to be
> https://salsa.debian.org/freedesktop-team/xdg-utils/commit/58db4a75512
fc2202f1a5935cfa1983c92d3777c
>
>
Looks good to me.
I tested the patch with
https://bugs.freedesktop.org/show_bug.cgi?id=103807#c0 . You can find
debdiff along with this mail.
Please upload.
- --abhijith
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEE7xPqJqaY/zX9fJAuhj1N8u2cKO8FAlsGdmoACgkQhj1N8u2c
KO+esQ/+LZa3SAHY0jVBoPR2ugYJvDh4CbNqTLD8zqdFILIvhyGIjEhRPOdRCSkN
tgNKFv1l6t3iq+hsC3zdtrju9m6gi81RsTIJFXeeGptIgjGMKXgfZTFx7HUAXzJn
bXvq4IMbjqMnyKyNIwRsqUEvIpXNTNeoboT0gWuXuoZPBzucRpjLFt2xC2bZycFI
FaLdqJzYq7SzRibKJVj44CgmmIkYpRVWkA44OSfJuQtyW81bNG129ZVm6dd1tRR9
PGrJC3b4U1fhgrhsAEjEDH1s2heOwqPTCYy2t9G4SOGBGiDb3MJA7wsKTa1XpCSx
uvYX3j+AYvNnQpe98AiY6Fgd0S+WTLhqSmbt+QikIbDoBg1Dyi17XNJsqQeqxp75
gZaQ1mdVOO2d5F+6XrJ+SM78pgtG9fOykXyfwByNFes0qR5Oux3JIV7XLz+7KB+2
xMzs8pcxmu7gIX340b0Mx4SEO+MD5ec83724y1OIPnmhE0rusBtMM6C93R/u1Dhw
+r1TMGI+DzVJ7KRkDvqpNH9m1qxmYAC4n14rM+DAWHKeQHopplnRG48SICQh+IUU
vDGmgR+SCktgnTR9NlMA0Jqb3L23eyLAoSnwTNlSd1Zw+JemdLgsEBxQGeVFHaez
GzsL/b9KZ8N/FwagoZnh+nbdUASrkV54hSN/hC0PwG4/Y9n3zF4=
=Nbcg
-----END PGP SIGNATURE-----
diff -Nru xdg-utils-1.1.0~rc1+git20111210/debian/changelog xdg-utils-1.1.0~rc1+git20111210/debian/changelog
--- xdg-utils-1.1.0~rc1+git20111210/debian/changelog 2015-02-22 03:34:40.000000000 +0000
+++ xdg-utils-1.1.0~rc1+git20111210/debian/changelog 2018-05-24 07:44:38.000000000 +0000
@@ -1,3 +1,10 @@
+xdg-utils (1.1.0~rc1+git20111210-6+deb7u4) wheezy-security; urgency=high
+
+ * Fix CVE-2017-18266, closes: #898317.
+ - Avoid argument injection vulnerability in open_generic.
+
+ -- Nicholas Guriev <guriev-ns@ya.ru> Sun, 20 May 2018 23:55:55 +0300
+
xdg-utils (1.1.0~rc1+git20111210-6+deb7u3) stable-security; urgency=high
* Non-maintainer upload by the Security Team.
diff -Nru xdg-utils-1.1.0~rc1+git20111210/debian/patches/CVE-2017-18266.patch xdg-utils-1.1.0~rc1+git20111210/debian/patches/CVE-2017-18266.patch
--- xdg-utils-1.1.0~rc1+git20111210/debian/patches/CVE-2017-18266.patch 1970-01-01 00:00:00.000000000 +0000
+++ xdg-utils-1.1.0~rc1+git20111210/debian/patches/CVE-2017-18266.patch 2018-05-24 07:44:46.000000000 +0000
@@ -0,0 +1,44 @@
+Description: Fix argument injection when browser is launched
+Author: Nicholas Guriev <guriev-ns@ya.ru>
+Bug: https://bugs.freedesktop.org/show_bug.cgi?id=103807
+Bug-Debian: https://bugs.debian.org/898317
+Bug-Ubuntu: https://bugs.launchpad.net/bugs/1772295
+Last-Update: Sun, 20 May 2018 22:41:54 +0300
+
+--- a/scripts/xdg-open.in
++++ b/scripts/xdg-open.in
+@@ -233,6 +233,7 @@ open_generic()
+ open_generic_xdg_x_scheme_handler "$1"
+ fi
+
++ local url="$1"
+ OLDIFS="$IFS"
+ IFS=":"
+ for browser in $BROWSER; do
+@@ -249,9 +250,15 @@ open_generic()
+ redirect_output="$xdg_redirect_output"
+ fi
+
++ shift $#
++ for element in $browser; do
++ set -- "$@" "$(printf -- "$element" "$url")"
++ done
++
+ if [ x"$browser_with_arg" = x"$browser" ]; then
+- eval '$browser $1'$redirect_output;
+- else eval '$browser_with_arg'$redirect_output;
++ eval '$browser "$url"'$redirect_output
++ else
++ eval '"$@"'$redirect_output
+ fi
+
+ if [ $? -eq 0 ]; then
+@@ -260,7 +267,7 @@ open_generic()
+ fi
+ done
+
+- exit_failure_operation_impossible "no method available for opening '$1'"
++ exit_failure_operation_impossible "no method available for opening '$url'"
+ }
+
+ open_lxde()
diff -Nru xdg-utils-1.1.0~rc1+git20111210/debian/patches/series xdg-utils-1.1.0~rc1+git20111210/debian/patches/series
--- xdg-utils-1.1.0~rc1+git20111210/debian/patches/series 2015-02-22 03:29:51.000000000 +0000
+++ xdg-utils-1.1.0~rc1+git20111210/debian/patches/series 2018-05-24 07:44:46.000000000 +0000
@@ -10,3 +10,4 @@
command-injection.patch
xdg-open-safe.diff
CVE-2015-1877.patch
+CVE-2017-18266.patch
Reply to: