[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#988394: thunar: CVE-2021-32563

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On Tue, 2021-05-11 at 21:45 +0200, Salvatore Bonaccorso wrote:
> The following vulnerability was published for thunar.
> 
> CVE-2021-32563[0]:
> > An issue was discovered in Thunar before 4.16.7 and 4.17.x before
> > 4.17.2. When called with a regular file as a command-line argument, it
> > delegates to a different program (based on the file type) without user
> > confirmation. This could be used to achieve code execution.
> 
> 
> If you fix the vulnerability please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

Hi Salvatore, thanks for the heads up.

We have Thunar 4.16.3 in testing and 4.16.4 in sid. It'd be best to update
everything to 4.16.8 but I'm unsure the release team will like that, so I'll
also look at isolating the fix.

Regards,
- -- 
Yves-Alexis
-----BEGIN PGP SIGNATURE-----

iQEzBAEBCAAdFiEE8vi34Qgfo83x35gF3rYcyPpXRFsFAmCdXGEACgkQ3rYcyPpX
RFsjPAgA7FaKksal1xCLD/k/Y5I2Q4RkH3X/kxpObKguWPLAU+1Q/hzTbY9GTsla
BpXhqp0JBo/s++5d5IMWtegF2M2DPmfe0yGV86sxFLJj4bKweIG62otjUuxr8dAI
yJY9mLzypHR9ywcbOZsD1U2wzaSkJkOj7b+SXLQyowTuwda+LwPNAJNDbo8ishYh
wUSodVcbxeZIeKF7dIn2tWpxQ69LRYYVaJm5u2ZZpGWfe0oJlYzFEha6XLc+CAsv
SAWB+MwXTQ9INdImN8BlPUHdxK61AUD6UkxYN+hIPhwC2nIrG1d/IZDC8B7Gw/8m
rFpkfO1jXgIV1wddJxdFl1YlL5ITWw==
=W5K2
-----END PGP SIGNATURE-----
Reply to: