Bug#884923: abiword: CVE-2017-17529

To: Salvatore Bonaccorso <carnil@debian.org>, 884923@bugs.debian.org
Subject: Bug#884923: abiword: CVE-2017-17529
From: Jeremy Bicha <jbicha@debian.org>
Date: Sun, 11 Mar 2018 07:52:13 -0400
Message-id: <[🔎] CAAajCMZunRJ8GDSkfjTf_J0DepwgsV5oBo_pYH1+ovRZkKSFWA@mail.gmail.com>
Reply-to: Jeremy Bicha <jbicha@debian.org>, 884923@bugs.debian.org
In-reply-to: <151386093073.14781.10410668693912453622.reportbug@eldamar.local>
References: <151386093073.14781.10410668693912453622.reportbug@eldamar.local> <151386093073.14781.10410668693912453622.reportbug@eldamar.local>

Control: reopen -1
Control: tags -1 moreinfo

On Thu, Dec 21, 2017 at 7:55 AM, Salvatore Bonaccorso <carnil@debian.org> wrote:
> Source: abiword
> Version: 3.0.2-5
> Severity: normal
> Tags: security upstream
>
> Hi,
>
> the following vulnerability was published for abiword.
>
> CVE-2017-17529[0]:
> | af/util/xp/ut_go_file.cpp in AbiWord 3.0.2-2 does not validate strings
> | before launching the program specified by the BROWSER environment
> | variable, which might allow remote attackers to conduct
> | argument-injection attacks via a crafted URL.
>
> Might be possible to just compile with --with-gnomevfs and not use the
> problematic function.

The --with-gnomevfs option is only for gtk2, but we build Abiword with gtk3.

Also, it would be an RC bug to actually depend on gnome-vfs [1]

https://lists.debian.org/debian-devel/2018/02/msg00169.html

Has this issue even been reported to the Abiword developers?

Thanks,
Jeremy Bicha

Reply to:

Follow-Ups:
- Bug#884923: abiword: CVE-2017-17529
  - From: Salvatore Bonaccorso <carnil@debian.org>

Prev by Date: Accepted abiword 3.0.2-6 (source) into unstable
Next by Date: Processed: Re: Bug#884923: abiword: CVE-2017-17529
Previous by thread: Accepted abiword 3.0.2-6 (source) into unstable
Next by thread: Processed: Re: Bug#884923: abiword: CVE-2017-17529
Index(es):
- Date
- Thread