Re: Wheezy update of xdg-utils?

To: Коля Гурьев <guriev-ns@ya.ru>, ola@inguza.com
Cc: debian-lts@lists.debian.org
Subject: Re: Wheezy update of xdg-utils?
From: Abhijith PA <abhijith@disroot.org>
Date: Thu, 24 May 2018 13:53:07 +0530
Message-id: <[🔎] f2748caa-416a-ed5e-fd12-9b802f5d9f70@disroot.org>
In-reply-to: <[🔎] 4c113a9a-53e1-73a3-bd09-03a5bf38f4bc@disroot.org>
References: <[🔎] 20180510192230.qc5krh3nylrbc233@inguza.net> <[🔎] 63cbb104-70ff-c4b6-c84f-5619438d1a83@ya.ru> <[🔎] 4c113a9a-53e1-73a3-bd09-03a5bf38f4bc@disroot.org>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Hello.

On Thursday 24 May 2018 08:06 AM, Abhijith PA wrote:
> Hi
> 
> On Wednesday 23 May 2018 11:51 PM, Коля Гурьев wrote:
>> Hi,
>> 
>> I've prepared an update of the xdg-utils package for Debian
>> Wheezy. It's available in Git packaging repository[1]. Please
>> review it and, if everything is okay, upload to archive.
>> 
>> [1]: 
>> https://salsa.debian.org/freedesktop-team/xdg-utils/commit/1456c94f6c
e507e461033b8f0fd4b50097fc1058
>>
>
>> 
> Cool. I will review the patch. The correct link seems to be 
> https://salsa.debian.org/freedesktop-team/xdg-utils/commit/58db4a75512
fc2202f1a5935cfa1983c92d3777c
>
> 
Looks good to me.
I tested the patch with
https://bugs.freedesktop.org/show_bug.cgi?id=103807#c0 . You can find
debdiff along with this mail.

Please upload.

- --abhijith
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEE7xPqJqaY/zX9fJAuhj1N8u2cKO8FAlsGdmoACgkQhj1N8u2c
KO+esQ/+LZa3SAHY0jVBoPR2ugYJvDh4CbNqTLD8zqdFILIvhyGIjEhRPOdRCSkN
tgNKFv1l6t3iq+hsC3zdtrju9m6gi81RsTIJFXeeGptIgjGMKXgfZTFx7HUAXzJn
bXvq4IMbjqMnyKyNIwRsqUEvIpXNTNeoboT0gWuXuoZPBzucRpjLFt2xC2bZycFI
FaLdqJzYq7SzRibKJVj44CgmmIkYpRVWkA44OSfJuQtyW81bNG129ZVm6dd1tRR9
PGrJC3b4U1fhgrhsAEjEDH1s2heOwqPTCYy2t9G4SOGBGiDb3MJA7wsKTa1XpCSx
uvYX3j+AYvNnQpe98AiY6Fgd0S+WTLhqSmbt+QikIbDoBg1Dyi17XNJsqQeqxp75
gZaQ1mdVOO2d5F+6XrJ+SM78pgtG9fOykXyfwByNFes0qR5Oux3JIV7XLz+7KB+2
xMzs8pcxmu7gIX340b0Mx4SEO+MD5ec83724y1OIPnmhE0rusBtMM6C93R/u1Dhw
+r1TMGI+DzVJ7KRkDvqpNH9m1qxmYAC4n14rM+DAWHKeQHopplnRG48SICQh+IUU
vDGmgR+SCktgnTR9NlMA0Jqb3L23eyLAoSnwTNlSd1Zw+JemdLgsEBxQGeVFHaez
GzsL/b9KZ8N/FwagoZnh+nbdUASrkV54hSN/hC0PwG4/Y9n3zF4=
=Nbcg
-----END PGP SIGNATURE-----

diff -Nru xdg-utils-1.1.0~rc1+git20111210/debian/changelog xdg-utils-1.1.0~rc1+git20111210/debian/changelog
--- xdg-utils-1.1.0~rc1+git20111210/debian/changelog	2015-02-22 03:34:40.000000000 +0000
+++ xdg-utils-1.1.0~rc1+git20111210/debian/changelog	2018-05-24 07:44:38.000000000 +0000
@@ -1,3 +1,10 @@
+xdg-utils (1.1.0~rc1+git20111210-6+deb7u4) wheezy-security; urgency=high
+
+  * Fix CVE-2017-18266, closes: #898317.
+    - Avoid argument injection vulnerability in open_generic.
+
+ -- Nicholas Guriev <guriev-ns@ya.ru>  Sun, 20 May 2018 23:55:55 +0300
+
 xdg-utils (1.1.0~rc1+git20111210-6+deb7u3) stable-security; urgency=high
 
   * Non-maintainer upload by the Security Team.
diff -Nru xdg-utils-1.1.0~rc1+git20111210/debian/patches/CVE-2017-18266.patch xdg-utils-1.1.0~rc1+git20111210/debian/patches/CVE-2017-18266.patch
--- xdg-utils-1.1.0~rc1+git20111210/debian/patches/CVE-2017-18266.patch	1970-01-01 00:00:00.000000000 +0000
+++ xdg-utils-1.1.0~rc1+git20111210/debian/patches/CVE-2017-18266.patch	2018-05-24 07:44:46.000000000 +0000
@@ -0,0 +1,44 @@
+Description: Fix argument injection when browser is launched
+Author: Nicholas Guriev <guriev-ns@ya.ru>
+Bug: https://bugs.freedesktop.org/show_bug.cgi?id=103807
+Bug-Debian: https://bugs.debian.org/898317
+Bug-Ubuntu: https://bugs.launchpad.net/bugs/1772295
+Last-Update: Sun, 20 May 2018 22:41:54 +0300
+
+--- a/scripts/xdg-open.in
++++ b/scripts/xdg-open.in
+@@ -233,6 +233,7 @@ open_generic()
+         open_generic_xdg_x_scheme_handler "$1"
+     fi
+ 
++    local url="$1"
+     OLDIFS="$IFS"
+     IFS=":"
+     for browser in $BROWSER; do
+@@ -249,9 +250,15 @@ open_generic()
+                 redirect_output="$xdg_redirect_output"
+             fi
+ 
++            shift $#
++            for element in $browser; do
++                set -- "$@" "$(printf -- "$element" "$url")"
++            done
++
+             if [ x"$browser_with_arg" = x"$browser" ]; then
+-                eval '$browser $1'$redirect_output;
+-            else eval '$browser_with_arg'$redirect_output;
++                eval '$browser "$url"'$redirect_output
++            else
++                eval '"$@"'$redirect_output
+             fi
+ 
+             if [ $? -eq 0 ]; then
+@@ -260,7 +267,7 @@ open_generic()
+         fi
+     done
+ 
+-    exit_failure_operation_impossible "no method available for opening '$1'"
++    exit_failure_operation_impossible "no method available for opening '$url'"
+ }
+ 
+ open_lxde()
diff -Nru xdg-utils-1.1.0~rc1+git20111210/debian/patches/series xdg-utils-1.1.0~rc1+git20111210/debian/patches/series
--- xdg-utils-1.1.0~rc1+git20111210/debian/patches/series	2015-02-22 03:29:51.000000000 +0000
+++ xdg-utils-1.1.0~rc1+git20111210/debian/patches/series	2018-05-24 07:44:46.000000000 +0000
@@ -10,3 +10,4 @@
 command-injection.patch
 xdg-open-safe.diff
 CVE-2015-1877.patch
+CVE-2017-18266.patch

Reply to:

Follow-Ups:
- Re: Wheezy update of xdg-utils?
  - From: Markus Koschany <apo@debian.org>

References:
- Wheezy update of xdg-utils?
  - From: Ola Lundqvist <ola@inguza.com>
- Re: Wheezy update of xdg-utils?
  - From: Коля Гурьев <guriev-ns@ya.ru>
- Re: Wheezy update of xdg-utils?
  - From: Abhijith PA <abhijith@disroot.org>

Prev by Date: Re: Wheezy update of xdg-utils?
Next by Date: Re: Wheezy update of xdg-utils?
Previous by thread: Re: Wheezy update of xdg-utils?
Next by thread: Re: Wheezy update of xdg-utils?
Index(es):
- Date
- Thread