[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

[SECURITY] [DSA 3165-1] xdg-utils security update



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3165-1                   security@debian.org
http://www.debian.org/security/                           Michael Gilbert
February 21, 2015                      http://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : xdg-utils
CVE ID         : CVE-2015-1877
Debian Bug     : 777722

Jiri Horner discovered a way to cause xdg-open, a tool that automatically
opens URLs in a user's preferred application, to execute arbitrary
commands remotely.

This problem only affects /bin/sh implementations that don't sanitize
local variables.  Dash, which is the default /bin/sh in Debian is
affected.  Bash as /bin/sh is known to be unaffected.

For the stable distribution (wheezy), this problem has been fixed in
version 1.1.0~rc1+git20111210-6+deb7u3.

For the upcoming stable (jessie) and unstable (sid) distributions,
this problem will be fixed soon.

We recommend that you upgrade your xdg-utils packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQQcBAEBCgAGBQJU6WG2AAoJELjWss0C1vRzmEof/3yl6xrjW+HidxZWt1gFfxE5
f7h5IvNqT3CYkR2oTUruUH8CuKqGgGDOdF3Xg62gid2C0KnK5Y67ZLKPYrxTM1EY
yP5XZvBwHWO05SMx9qpyk0qCknTESXKVongIA5QVAJxfKfStnGa6igHJzNdremp+
qpm/0IpAu50RF7jWJ1RI3EFAYT0xWwFlBqhEGVEZXEE+4BSR87NL66UG5qaXuiT6
K1Tuj7s1mEPuXrL/Kg8wpFV8e6RUuHSQgeWZ3lTLB13AnMeZnOMRDG/rf8/iruhX
GXl50mzReTeVzexd6CerG7lZkORWHIhPvRl4H/4UcuH5QIUrWEM/ipDgYlzvw/W/
c2gesywaO/F8b8TKy9sC/3VHQNXaFr9ar/lShkHU6z1XyqerHbFQWWZb9yc0zSwB
TPOzI4YMylklkorrOm9HeFbSIrB+pfOI9ivQSapQqucrkejXy0R47bwy2FJY8QZj
4D2MkAwjhlDiRWGVyvqRges/s8+zBUzMIhlfNq54xI7ZaPlUAPEQ3fInLFZJ5v2a
RDFtqvpzdi3GL3vR/ntdiu3zl+gK2OOfgHVe5CWdZIqTcGNmUa4W8Gy6KoTOJGRq
UMrvp7qKI0lTF9tyQbpDi9Dq8h74foxnfrdEpcasNVLlup5SAKRgtiUnmku4I5Ts
Hp81UqYWWdWjoD97U1pcy+3xgQeariDMMN5WDDYKzT5FTTcvSHEmeRtb3p88fqM/
kDiUD+Muda7j6nfWHVgsO5p9lhi8WrWpry0WAaZ7w64HXhgb8WM0/aWcn8onY+R/
jcSkKyKFEk+b71nYrgS4JWhzNATCu6kgPH0kLNvJiHZkA9rVHWxsqZfthCBrysEm
aCftGyqEkGJFWVcFwxXkCb6NwN9tIE/rJj7iIi2Wp1cVSQGJA24Zyr8n8EprCnYm
kMGEw33+iYo3xdTTie0XWR3yMop7R/yw/FXGGjkkptBnMS4EHizZsvTtyQskO15V
q9qI4rfMAmV4AOY4U8eJoARZ++haeAbQ+JArjwtxnQUY3ZuYDIDiUFv1LHVKGM+c
UXdRgiLMhz00ejTLLAD5x8MZ08MFED7E9km3zHuzKmd1QS1V0OSZc8jEquDd1IRd
ivc0DIRGae55zzgqwkZV6znFIY81cmd5sFAMrtQBy4pmhp6WWFHh1W8JETc+l/t+
HcIA1FMMhUC/peWUyJkkA0o+TpDpbfnfSwOJoQAxeXgslU2XyOU8r/mc3ze2/GSu
Z/zbVLr62agmh0Y44hdTHFGBlZcYPDHJiKjqcBvQSjTk5BvN0FcQ7m3HTz0lYHpb
dnbBCteP/c4srJwjTwCuPVTlz2WI9mzg1NNTvVWaB/ivLSPiGky/lqKt058N0Gk=
=eXk5
-----END PGP SIGNATURE-----


Reply to: