Re: CVE-2017-17518
Hi,
On Sat, Aug 31, 2019 at 03:09:59AM +0200, J. Scheurich wrote:
> Hi,
>
> https://www.cvedetails.com/cve/CVE-2017-17518/
>
> | swt/motif/browser.c in White_dune (aka whitedune) 0.30.10 does not
> validate strings before launching the program specified
> | by the BROWSER environment variable, which might allow remote
> attackers to conduct argument-injection attacks via a
> | crafted URL.
> | Publish Date : 2017-12-14 Last Update Date : 2018-01-02
I guess the CVE description was possibly missleading here or leadng to
an non-issue in practice itself and relates to
https://sources.debian.org/src/whitedune/0.30.10-2.1/src/swt/motif/browser.c/?hl=159#L214
where the strings passed are not validated before, and might thus
depending on the set browser allow to conduct argument-injections
attacks.
In any case we did already mark the CVE as unimportant/practical
non-issue security wise on our end.
Can you followup with your information to MITRE via
https://cveform.mitre.org/ so they might update the CVE entry with
additional information?
Regards,
Salvatore
Reply to: