Bug#1013129: marked as done (exo: CVE-2022-32278)

To: Yves-Alexis Perez <corsac@debian.org>
Subject: Bug#1013129: marked as done (exo: CVE-2022-32278)
From: "Debian Bug Tracking System" <owner@bugs.debian.org>
Date: Sat, 18 Jun 2022 12:06:08 +0000
Message-id: <[🔎] handler.1013129.D1013129.165555384122735.ackdone@bugs.debian.org>
Reply-to: 1013129@bugs.debian.org
References: <E1o2XBF-00055A-Sz@fasolo.debian.org> <[🔎] YqyY47Cdl0WygfOo@pisco.westfalen.local>

Your message dated Sat, 18 Jun 2022 12:03:57 +0000
with message-id <E1o2XBF-00055A-Sz@fasolo.debian.org>
and subject line Bug#1013129: fixed in exo 4.16.4-1
has caused the Debian Bug report #1013129,
regarding exo: CVE-2022-32278
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
1013129: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1013129
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

To: submit@bugs.debian.org
Subject: exo: CVE-2022-32278
From: Moritz Mühlenhoff <jmm@inutil.org>
Date: Fri, 17 Jun 2022 17:08:19 +0200
Message-id: <[🔎] YqyY47Cdl0WygfOo@pisco.westfalen.local>

Source: exo
X-Debbugs-CC: team@security.debian.org
Severity: grave
Tags: security

Hi,

The following vulnerability was published for exo.

CVE-2022-32278[0]:
| XFCE 4.16 allows attackers to execute arbitrary code because xdg-open
| can execute a .desktop file on an attacker-controlled FTP server.

https://gitlab.xfce.org/xfce/exo/-/commit/c71c04ff5882b2866a0d8506fb460d4ef796de9f

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2022-32278
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-32278

Please adjust the affected versions in the BTS as needed.

--- End Message ---

--- Begin Message ---

To: 1013129-close@bugs.debian.org
Subject: Bug#1013129: fixed in exo 4.16.4-1
From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
Date: Sat, 18 Jun 2022 12:03:57 +0000
Message-id: <E1o2XBF-00055A-Sz@fasolo.debian.org>
Reply-to: Yves-Alexis Perez <corsac@debian.org>

Source: exo
Source-Version: 4.16.4-1
Done: Yves-Alexis Perez <corsac@debian.org>

We believe that the bug you reported is fixed in the latest version of
exo, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1013129@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Yves-Alexis Perez <corsac@debian.org> (supplier of updated exo package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sat, 18 Jun 2022 13:49:57 +0200
Source: exo
Architecture: source
Version: 4.16.4-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Xfce Maintainers <debian-xfce@lists.debian.org>
Changed-By: Yves-Alexis Perez <corsac@debian.org>
Closes: 1013129
Changes:
 exo (4.16.4-1) unstable; urgency=medium
 .
   * New upstream version 4.16.4
   - Fix CVE-2022-32278, exo allows executing .desktop files with remote URI
     scheme. (Closes: #1013129)
Checksums-Sha1:
 60432311f45995469c6b6af91f4d7c85e23b0788 1852 exo_4.16.4-1.dsc
 228ebd069482b5f57ed421d5edfc05434c68fbb4 876080 exo_4.16.4.orig.tar.bz2
 ac4b241b15fe467a14f6067ac69d314a26604411 13008 exo_4.16.4-1.debian.tar.xz
 6ce8b7dee10fd9d1b282659f98f84a4abfcfe0ff 16416 exo_4.16.4-1_amd64.buildinfo
Checksums-Sha256:
 f3c876b48239fb2117c8c9cc68f99e15731476dc5589de1e5410feffc5b2685f 1852 exo_4.16.4-1.dsc
 82a50c67e78f1e5c420b7615515bcca759b86eeab99224ab8eca4306b89d2eca 876080 exo_4.16.4.orig.tar.bz2
 2f03444b14984cc82803b9a35abb05b8318c416b7654068480560588e04dc423 13008 exo_4.16.4-1.debian.tar.xz
 129938462d5c483eb18c4831caab25939a563f5a13d16da8e9828dca0b76161f 16416 exo_4.16.4-1_amd64.buildinfo
Files:
 0a3e3680a4a609fe8b6379c46763e691 1852 xfce optional exo_4.16.4-1.dsc
 f85fe6ad7fbd989c622f4d4ebef86881 876080 xfce optional exo_4.16.4.orig.tar.bz2
 4fe97ce8597cd0bb6830a917302c791e 13008 xfce optional exo_4.16.4-1.debian.tar.xz
 dcaa620c057f8e98f019bc73a8ac327c 16416 xfce optional exo_4.16.4-1_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQEzBAEBCgAdFiEE8vi34Qgfo83x35gF3rYcyPpXRFsFAmKtvqUACgkQ3rYcyPpX
RFsMQAgA3gCue5pJodrz1UCqRz0YR/7NYDGB8FjAI36nnfBcbiodDk5bIDe69ueZ
gYXHTmT3hthCtm2jPAJ8aQNqbrHr+EdSos/JHj4597SFnI45XCltGHF51PKzTdjE
7MJ+4tznQa9RagVNcfFC3mdJ9KZwihum0KyKx/Bcj8p9/Kws2qAaeRZ9ai5bKiJf
wXPVtoZ3JJoSsx8iWBYIrhKknwH1kdbOYB9195fii2rYRm/uIkSApNN7L2oS9qj1
6+OFTRuX8Iy7+76PvSEcJrPyLsnDcIbIJCDL5Y3B9IdOPb2GwxMKoLuWwKA+QDiX
7zqZ7hcrRoDd/L3dDl9FisAUnP9ayA==
=l55X
-----END PGP SIGNATURE-----

--- End Message ---

Reply to:

References:
- Bug#1013129: exo: CVE-2022-32278
  - From: Moritz Mühlenhoff <jmm@inutil.org>

Prev by Date: Bug#1013129: exo: CVE-2022-32278
Next by Date: Processing of exo_4.16.4-1_source.changes
Previous by thread: Bug#1013129: exo: CVE-2022-32278
Next by thread: Bug#1013129: marked as done (exo: CVE-2022-32278)
Index(es):
- Date
- Thread