Bug#988394: marked as done (thunar: CVE-2021-32563)

["Debian Bug Tracking System" <owner@bugs.debian.org>]

Your message dated Thu, 13 May 2021 18:33:31 +0000
with message-id <E1lhG9L-0007za-Dw@fasolo.debian.org>
and subject line Bug#988394: fixed in thunar 4.16.8-1
has caused the Debian Bug report #988394,
regarding thunar: CVE-2021-32563
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
988394: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=988394
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: Debian Bug Tracking System <submit@bugs.debian.org>
• Subject: thunar: CVE-2021-32563
• From: Salvatore Bonaccorso <carnil@debian.org>
• Date: Tue, 11 May 2021 21:45:13 +0200
• Message-id: <[🔎] 162076231317.1215350.12730156670676669086.reportbug@eldamar.lan>

Source: thunar
Version: 4.16.4-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>
Control: found -1 4.16.3-1

Hi,

The following vulnerability was published for thunar.

CVE-2021-32563[0]:
| An issue was discovered in Thunar before 4.16.7 and 4.17.x before
| 4.17.2. When called with a regular file as a command-line argument, it
| delegates to a different program (based on the file type) without user
| confirmation. This could be used to achieve code execution.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2021-32563
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-32563
[1] https://marc.info/?l=oss-security&m=162058938307965&w=2

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

--- End Message ---

--- Begin Message ---

• To: 988394-close@bugs.debian.org
• Subject: Bug#988394: fixed in thunar 4.16.8-1
• From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
• Date: Thu, 13 May 2021 18:33:31 +0000
• Message-id: <E1lhG9L-0007za-Dw@fasolo.debian.org>
• Reply-to: Yves-Alexis Perez <corsac@debian.org>

Source: thunar
Source-Version: 4.16.8-1
Done: Yves-Alexis Perez <corsac@debian.org>

We believe that the bug you reported is fixed in the latest version of
thunar, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 988394@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Yves-Alexis Perez <corsac@debian.org> (supplier of updated thunar package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Thu, 13 May 2021 20:14:27 +0200
Source: thunar
Architecture: source
Version: 4.16.8-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Xfce Maintainers <debian-xfce@lists.debian.org>
Changed-By: Yves-Alexis Perez <corsac@debian.org>
Closes: 988394
Changes:
 thunar (4.16.8-1) unstable; urgency=medium
 .
   * New upstream version 4.16.8
     - includes fix for CVE-2021-32563: don't directly execute a file passed as
     an argument but rather open the containing folder (Closes: #988394)
Checksums-Sha1:
 60de04e5528a3176957fdc9ad10a2de501f6fadc 2187 thunar_4.16.8-1.dsc
 f481798e4c3bcc3339979a111a26b972fddd81ba 2429407 thunar_4.16.8.orig.tar.bz2
 af84cb1c38a085f856e1a458bbac7e82c18d679a 15164 thunar_4.16.8-1.debian.tar.xz
 f8d559ca89e604ce32e18cc37113d3acf60461bf 17329 thunar_4.16.8-1_amd64.buildinfo
Checksums-Sha256:
 b4a2d985cb06c5e835a0556513cf95c00e625e89796cf08670f9a3f7209df5ac 2187 thunar_4.16.8-1.dsc
 038ca228d220cd0ba1b7b76465d8a51f2433ad1f74648d1d291daa0a24cb3195 2429407 thunar_4.16.8.orig.tar.bz2
 9d580a342dfa17b78204fc10e7f34d2ae15f372ef6bee261f7285a0756186128 15164 thunar_4.16.8-1.debian.tar.xz
 58b2b92e8dd1da3fc2874a30a31f8abe8867b4b80cd405395f7985a791864a95 17329 thunar_4.16.8-1_amd64.buildinfo
Files:
 cec5dd60979c55d8d10071527b8a67e7 2187 xfce optional thunar_4.16.8-1.dsc
 7bdf84a1eb6bf7a033cf4df031e8715d 2429407 xfce optional thunar_4.16.8.orig.tar.bz2
 f7d1491643d4b3874d065a920054dc66 15164 xfce optional thunar_4.16.8-1.debian.tar.xz
 ccc4889efa66797b0f42c678352514d9 17329 xfce optional thunar_4.16.8-1_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQEzBAEBCgAdFiEE8vi34Qgfo83x35gF3rYcyPpXRFsFAmCdbbkACgkQ3rYcyPpX
RFvCWAgA6y5j9/JgpCUOjR2WFew5OkgDn/s/YVjPeYcMd/iNy7Q8R1gxSGmlx5rx
1X6DmkCiTzIiLznUxBYHeOE1/Fj5K9laAYjgu0VE0PSLW3NFN5yU/MbbfVLb1zpW
2iXBLa4egYQvo7zzoiAZQHBYPguc0Jluxx0Fpq1HpKzMgYhH8+wwRhTIXAhFbSvh
0fIXld+qgmn1j3AihOXs0urJsqfETBtZFuhbfN1Jam/yAvMztEls0KzgwNMd2kl+
zvUz2+2ivyCulKa2MxaGxLZH9oF78CAiht2a2gPjbFcj6PmrpFTkmrFQ4cIUbOxN
ech7x2+Hle/yhLi7pkKgoWtW6UBiUw==
=pDFg
-----END PGP SIGNATURE-----

--- End Message ---