Bug#988394: thunar: CVE-2021-32563

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#988394: thunar: CVE-2021-32563
From: Salvatore Bonaccorso <carnil@debian.org>
Date: Tue, 11 May 2021 21:45:13 +0200
Message-id: <[🔎] 162076231317.1215350.12730156670676669086.reportbug@eldamar.lan>
Reply-to: Salvatore Bonaccorso <carnil@debian.org>, 988394@bugs.debian.org

Source: thunar
Version: 4.16.4-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>
Control: found -1 4.16.3-1

Hi,

The following vulnerability was published for thunar.

CVE-2021-32563[0]:
| An issue was discovered in Thunar before 4.16.7 and 4.17.x before
| 4.17.2. When called with a regular file as a command-line argument, it
| delegates to a different program (based on the file type) without user
| confirmation. This could be used to achieve code execution.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2021-32563
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-32563
[1] https://marc.info/?l=oss-security&m=162058938307965&w=2

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

Reply to:

Follow-Ups:
- Processed: thunar: CVE-2021-32563
  - From: "Debian Bug Tracking System" <owner@bugs.debian.org>
- Bug#988394: thunar: CVE-2021-32563
  - From: Yves-Alexis Perez <corsac@debian.org>
- Bug#988394: marked as done (thunar: CVE-2021-32563)
  - From: "Debian Bug Tracking System" <owner@bugs.debian.org>

Prev by Date: Bug#986267: xfce4-appfinder: Application Finder doesn't show up xfce4's "Add New Items" window
Next by Date: Processed: thunar: CVE-2021-32563
Previous by thread: Bug#986267: xfce4-appfinder: Application Finder doesn't show up xfce4's "Add New Items" window
Next by thread: Processed: thunar: CVE-2021-32563
Index(es):
- Date
- Thread