[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#988394: thunar: CVE-2021-32563

Hi Yves-Alexis,

On Thu, May 13, 2021 at 07:05:37PM +0200, Yves-Alexis Perez wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
> 
> On Tue, 2021-05-11 at 21:45 +0200, Salvatore Bonaccorso wrote:
> > The following vulnerability was published for thunar.
> > 
> > CVE-2021-32563[0]:
> > > An issue was discovered in Thunar before 4.16.7 and 4.17.x before
> > > 4.17.2. When called with a regular file as a command-line argument, it
> > > delegates to a different program (based on the file type) without user
> > > confirmation. This could be used to achieve code execution.
> > 
> > 
> > If you fix the vulnerability please also make sure to include the
> > CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
> 
> Hi Salvatore, thanks for the heads up.
> 
> We have Thunar 4.16.3 in testing and 4.16.4 in sid. It'd be best to update
> everything to 4.16.8 but I'm unsure the release team will like that, so I'll
> also look at isolating the fix.

Thank you! Btw, I sitll would try to check if release team would
accept 4.16.8 itself. Note I'm as well not sure about if this will
need a DSA or can be fixed via point release, but given your double
hat on I will leave that decision to you :)

Regards,
Salvatore
Reply to: