[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

note about CVE-2017-17518



Hello,

https://www.cvedetails.com/cve/CVE-2017-17518/

| swt/motif/browser.c in White_dune (aka whitedune) 0.30.10 does not
| validate strings before launching the program specified
| by the BROWSER environment variable, which might allow remote
attackers to conduct argument-injection attacks via a
| crafted URL.
| Publish Date : 2017-12-14 Last Update Date : 2018-01-02

The current version of white_dune (1.369 at
https://wdune.ourproject.org/) do not use a "BROWSER environment variable":(

wdune-1.369$ find -type f -print | xargs grep BROWSER | grep -v
WWW_BROWSER |
grep -v VRML_BROWSER | grep -v VRMLBROWSER | grep -v VRML_REMOTE_BROWSER|
grep -v WWWBROWSER | grep -v SHBROWSER | grep -v SBROWSER | grep -v
IDC_BROWSER |
grep -v DEFAULT_BROWSER | grep -v BROWSER_OBJECT | grep -v SOURCE_BROWSER
wdune-1.369$

Instead, the "browser" veriable is read from the $HOME/.dunerc file (or
from the M$Windows registry).

It is configurable in the "options" menu.
The default is choosen in the ./configure script, which tests various
programs, first tested is "xdg-open"

...
dnl check for webbrowsers
if test "X_$WWWBROWSER" = "X_" ; the
   AC_PATH_PROGS(WWWBROWSER,[xdg-open firefox x-www-browser epiphany
iceweasel phoenix galeon firebird opera mozilla seamonkey lynx links
netscape])
fi
...

yours
J. Scheurich

Attachment: signature.asc
Description: OpenPGP digital signature


Reply to: