Bug#1013129: marked as done (exo: CVE-2022-32278)

To: Yves-Alexis Perez <corsac@debian.org>
Subject: Bug#1013129: marked as done (exo: CVE-2022-32278)
From: "Debian Bug Tracking System" <owner@bugs.debian.org>
Date: Sun, 19 Jun 2022 17:51:05 +0000
Message-id: <[🔎] handler.1013129.D1013129.16556608328322.ackdone@bugs.debian.org>
Reply-to: 1013129@bugs.debian.org
References: <E1o2z0u-000FkT-06@fasolo.debian.org> <[🔎] YqyY47Cdl0WygfOo@pisco.westfalen.local>

Your message dated Sun, 19 Jun 2022 17:47:08 +0000
with message-id <E1o2z0u-000FkT-06@fasolo.debian.org>
and subject line Bug#1013129: fixed in exo 4.16.0-1+deb11u1
has caused the Debian Bug report #1013129,
regarding exo: CVE-2022-32278
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
1013129: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1013129
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

To: submit@bugs.debian.org
Subject: exo: CVE-2022-32278
From: Moritz Mühlenhoff <jmm@inutil.org>
Date: Fri, 17 Jun 2022 17:08:19 +0200
Message-id: <[🔎] YqyY47Cdl0WygfOo@pisco.westfalen.local>

Source: exo
X-Debbugs-CC: team@security.debian.org
Severity: grave
Tags: security

Hi,

The following vulnerability was published for exo.

CVE-2022-32278[0]:
| XFCE 4.16 allows attackers to execute arbitrary code because xdg-open
| can execute a .desktop file on an attacker-controlled FTP server.

https://gitlab.xfce.org/xfce/exo/-/commit/c71c04ff5882b2866a0d8506fb460d4ef796de9f

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2022-32278
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-32278

Please adjust the affected versions in the BTS as needed.

--- End Message ---

--- Begin Message ---

To: 1013129-close@bugs.debian.org
Subject: Bug#1013129: fixed in exo 4.16.0-1+deb11u1
From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
Date: Sun, 19 Jun 2022 17:47:08 +0000
Message-id: <E1o2z0u-000FkT-06@fasolo.debian.org>
Reply-to: Yves-Alexis Perez <corsac@debian.org>

Source: exo
Source-Version: 4.16.0-1+deb11u1
Done: Yves-Alexis Perez <corsac@debian.org>

We believe that the bug you reported is fixed in the latest version of
exo, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1013129@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Yves-Alexis Perez <corsac@debian.org> (supplier of updated exo package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sat, 18 Jun 2022 14:17:06 +0200
Source: exo
Binary: exo-utils exo-utils-dbgsym libexo-2-0 libexo-2-0-dbgsym libexo-2-dev libexo-common
Architecture: source amd64 all
Version: 4.16.0-1+deb11u1
Distribution: bullseye-security
Urgency: medium
Maintainer: Debian Xfce Maintainers <debian-xfce@lists.debian.org>
Changed-By: Yves-Alexis Perez <corsac@debian.org>
Description:
 exo-utils  - Utility files for libexo
 libexo-2-0 - Library with extensions for Xfce (GTK-3 version)
 libexo-2-dev - Development files for libexo (GTK-3 version)
 libexo-common - libexo common files
Closes: 1013129
Changes:
 exo (4.16.0-1+deb11u1) stable-security; urgency=medium
 .
   * d/patches: 0001-exo-open-Only-execute-local-.desktop-files.patch added
     Fix CVE-2022-32278, exo allows executing .desktop files with remote URI
     scheme. (Closes: #1013129)
Checksums-Sha1:
 328ddf2529764c12965df8dd42158f63dc0d521f 1884 exo_4.16.0-1+deb11u1.dsc
 7f5fa747df1a9b48531b4ff13fb7f7671088f0aa 966143 exo_4.16.0.orig.tar.bz2
 1cbd216290741e8fb6e1c9911b0ea8cc9509664f 13888 exo_4.16.0-1+deb11u1.debian.tar.xz
 7968726451ec3f1d710411bab1426864e9fb0f95 90208 exo-utils-dbgsym_4.16.0-1+deb11u1_amd64.deb
 7ccbe1675a5f0284c4feb8ac74b34fe1c686fcb9 218348 exo-utils_4.16.0-1+deb11u1_amd64.deb
 893a027b84a7d3ef8ac5b7328fd76ac3830acf07 16634 exo_4.16.0-1+deb11u1_amd64.buildinfo
 5d12667edcedab58767fbc1d7a3e13733529042f 255452 libexo-2-0-dbgsym_4.16.0-1+deb11u1_amd64.deb
 be3c9f3f3779e56a304998824cfec25671f2ea16 417864 libexo-2-0_4.16.0-1+deb11u1_amd64.deb
 1179fb3eb7b64f6a312f0d4dd3a15e1aea4aa863 297116 libexo-2-dev_4.16.0-1+deb11u1_amd64.deb
 1aee934e46e4a584994a010b44a752125912be67 193704 libexo-common_4.16.0-1+deb11u1_all.deb
Checksums-Sha256:
 89abf6527fc85fa71087065dc294e23f13d0cf3150fad9a324d1abfe4bfee2af 1884 exo_4.16.0-1+deb11u1.dsc
 1975b00eed9a8aa1f899eab2efaea593731c19138b83fdff2f13bdca5275bacc 966143 exo_4.16.0.orig.tar.bz2
 12fbfab59721b6c879bbe19cdc768bd084ed2967177b711d7fc9d32e468b2788 13888 exo_4.16.0-1+deb11u1.debian.tar.xz
 d6b808f9985d58e406f3cd17000d8b49f492c369fb515ea60eea4bd54d73c13b 90208 exo-utils-dbgsym_4.16.0-1+deb11u1_amd64.deb
 2d64d3656244dbaf9bdcd259f153a14f55b03e14a6f3a572eb2536af9843e3e7 218348 exo-utils_4.16.0-1+deb11u1_amd64.deb
 075396b463c0c51a8a2a995867c9bfecd1e6db202114053664617b646115026f 16634 exo_4.16.0-1+deb11u1_amd64.buildinfo
 d93e26198640b555507e316a770946a694179f75f7beb654284246a4d3b01a18 255452 libexo-2-0-dbgsym_4.16.0-1+deb11u1_amd64.deb
 ad038f2461f640b2eac2e6da596995187d41d23cfa5064ce1fb71942d49a57a1 417864 libexo-2-0_4.16.0-1+deb11u1_amd64.deb
 95409ef7f198bf69c861466885c0fe3347f7656eb836b6284e0227f34bb1c4fe 297116 libexo-2-dev_4.16.0-1+deb11u1_amd64.deb
 dd50846347079fcecb2747ff105a0c4e173b596d3745cc8dc77503ccc86da011 193704 libexo-common_4.16.0-1+deb11u1_all.deb
Files:
 d72bf8d583d9b51bd8e68374e1dc2d92 1884 xfce optional exo_4.16.0-1+deb11u1.dsc
 0e2cb9c8bbe1993249358e2b0b9d9c54 966143 xfce optional exo_4.16.0.orig.tar.bz2
 33d8d7476934b0ceb5f4b105e9fedc4c 13888 xfce optional exo_4.16.0-1+deb11u1.debian.tar.xz
 b7e04127dcb3ed4368cd0c547f8f4c0d 90208 debug optional exo-utils-dbgsym_4.16.0-1+deb11u1_amd64.deb
 84904da268bd0c860513910eda0f1625 218348 xfce optional exo-utils_4.16.0-1+deb11u1_amd64.deb
 596d91f5759c5c8f6aacba9487c2fcd2 16634 xfce optional exo_4.16.0-1+deb11u1_amd64.buildinfo
 15278ebb1dd7bb6486baa273a2f30db9 255452 debug optional libexo-2-0-dbgsym_4.16.0-1+deb11u1_amd64.deb
 646248c7f57c59bbd40f3e292f8eac3e 417864 libs optional libexo-2-0_4.16.0-1+deb11u1_amd64.deb
 5a76a32f51b01f701a635390a65f22ac 297116 libdevel optional libexo-2-dev_4.16.0-1+deb11u1_amd64.deb
 42e5c7eba549eac2232405eb7fdf19a3 193704 libs optional libexo-common_4.16.0-1+deb11u1_all.deb

-----BEGIN PGP SIGNATURE-----

iQEzBAEBCgAdFiEE8vi34Qgfo83x35gF3rYcyPpXRFsFAmKt+YcACgkQ3rYcyPpX
RFvCiQgAqeVASHvtbpmYb7fotkTTWcxsuw5qpDK3fGrZnLyHFiy/js2nPOQumB7x
7ztsvn1N+x6em1W3l7kSJkvBvIIC4hdHFPWRE1pWDK3EGfYE7LrJVwGAaRlW19j8
l7tX1OMTLqCibUwhzHmP4A12lIn3/dNU09d6YsErbuXbzQQjQDz9yOtZocC0DGRk
TF5Jd+bPIs7Cfmo9mtb7eMrwBelOLKIrhuvB/7Y26AaPTr3ckxust5/03pXkkC94
adjS8ryNEC68WFlW2oB7RmEgE094lD2Q32abBpJVxh68xyzieUeTdER4JGqlZy9T
E53NO+T8GabNKmxYrsh4/B/RGqbedg==
=gFNu
-----END PGP SIGNATURE-----

--- End Message ---

Reply to:

References:
- Bug#1013129: exo: CVE-2022-32278
  - From: Moritz Mühlenhoff <jmm@inutil.org>

Prev by Date: exo_4.16.0-1+deb11u1_amd64.changes ACCEPTED into proposed-updates->stable-new
Next by Date: Bug#1013129: marked as done (exo: CVE-2022-32278)
Previous by thread: Bug#1013129: marked as done (exo: CVE-2022-32278)
Next by thread: Bug#1013129: marked as done (exo: CVE-2022-32278)
Index(es):
- Date
- Thread