Hello, https://www.cvedetails.com/cve/CVE-2017-17518/ | swt/motif/browser.c in White_dune (aka whitedune) 0.30.10 does not validate strings before launching the program specified | by the BROWSER environment variable, which might allow remote attackers to conduct argument-injection attacks via a | crafted URL. | Publish Date : 2017-12-14 Last Update Date : 2018-01-02 The current version of white_dune (1.366 at https://wdune.ourproject.org/) do not use a "BROWSER environment variable": wdune-1.366$ find -type f -print | xargs grep BROWSER | grep -v WWW_BROWSER | grep -v VRML_BROWSER | grep -v VRMLBROWSER | grep -v VRML_REMOTE_BROWSER| grep -v WWWBROWSER | grep -v SHBROWSER | grep -v SBROWSER | grep -v IDC_BROWSER | grep -v DEFAULT_BROWSER | grep -v BROWSER_OBJECT | grep -v SOURCE_BROWSER wdune-1.366$ Instead, the "browser" veriable is read from the $HOME/.dunerc file (or from the M$Windows registry). It is configurable in the "options" menu. The default is choosen in the ./configure script, which tests various programs, first tested is "xdg-open". ... dnl check for webbrowsers if test "X_$WWWBROWSER" = "X_" ; then AC_PATH_PROGS(WWWBROWSER,[xdg-open firefox x-www-browser epiphany iceweasel p hoenix galeon firebird opera mozilla seamonkey lynx links netscape]) fi ... yours J. Scheurich
Attachment:
signature.asc
Description: OpenPGP digital signature