Debian Bug report logs -
#898317
xdg-open: CVE-2017-18266: Argument injection in xdg-open open_envvar
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Thu, 10 May 2018 07:57:01 UTC
Severity: important
Tags: fixed-upstream, patch, security, upstream
Found in versions xdg-utils/1.1.1-1, xdg-utils/1.1.0~rc1+git20111210-7.4
Fixed in versions xdg-utils/1.1.3-1, xdg-utils/1.1.1-1+deb9u1, xdg-utils/1.1.0~rc1+git20111210-7.4+deb8u1
Done: Nicholas Guriev <guriev-ns@ya.ru>
Bug is archived. No further changes may be made.
Forwarded to https://bugs.freedesktop.org/show_bug.cgi?id=103807
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, gabriel.corona@enst-bretagne.fr, team@security.debian.org, Debian freedesktop.org maintainers <pkg-freedesktop-maintainers@lists.alioth.debian.org>:
Bug#898317; Package src:xdg-utils.
(Thu, 10 May 2018 07:57:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, gabriel.corona@enst-bretagne.fr, team@security.debian.org, Debian freedesktop.org maintainers <pkg-freedesktop-maintainers@lists.alioth.debian.org>.
(Thu, 10 May 2018 07:57:05 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: xdg-utils
Version: 1.1.1-1
Severity: important
Tags: patch security upstream
Forwarded: https://bugs.freedesktop.org/show_bug.cgi?id=103807
Hi
there is a argument injection vulenrability in xdg-open open_envvar.
Details:
https://bugs.freedesktop.org/show_bug.cgi?id=103807
https://cgit.freedesktop.org/xdg/xdg-utils/commit/?id=ce802d71c3466d1dbb24f2fe9b6db82a1f899bcb
Regards,
Salvatore
Changed Bug title to 'xdg-open: CVE-2017-18266: Argument injection in xdg-open open_envvar' from 'xdg-open: Argument injection in xdg-open open_envvar'.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Thu, 10 May 2018 14:21:06 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian freedesktop.org maintainers <pkg-freedesktop-maintainers@lists.alioth.debian.org>:
Bug#898317; Package src:xdg-utils.
(Thu, 10 May 2018 20:09:02 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian freedesktop.org maintainers <pkg-freedesktop-maintainers@lists.alioth.debian.org>.
(Thu, 10 May 2018 20:09:02 GMT) (full text, mbox, link).
Message #12 received at 898317@bugs.debian.org (full text, mbox, reply):
Control: found -1 1.1.0~rc1+git20111210-7.4
The issue seems present as well in earlier version, though in upstream
commit 3c2fe9f1ebbfdbffcc9e38a767641805cec3340b this part was
refactored.
Marked as found in versions xdg-utils/1.1.0~rc1+git20111210-7.4.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to 898317-submit@bugs.debian.org.
(Thu, 10 May 2018 20:09:02 GMT) (full text, mbox, link).
Marked as found in versions xdg-utils/.1.0~rc1+git20111210-7.4.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Thu, 10 May 2018 20:09:05 GMT) (full text, mbox, link).
No longer marked as found in versions xdg-utils/.1.0~rc1+git20111210-7.4.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Thu, 10 May 2018 20:09:07 GMT) (full text, mbox, link).
Added tag(s) fixed-upstream.
Request was from debian-bts-link@lists.debian.org
to control@bugs.debian.org.
(Mon, 14 May 2018 17:39:26 GMT) (full text, mbox, link).
Reply sent
to Nicholas Guriev <guriev-ns@ya.ru>:
You have taken responsibility.
(Sun, 20 May 2018 08:45:04 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Sun, 20 May 2018 08:45:04 GMT) (full text, mbox, link).
Message #25 received at 898317-close@bugs.debian.org (full text, mbox, reply):
Source: xdg-utils
Source-Version: 1.1.3-1
We believe that the bug you reported is fixed in the latest version of
xdg-utils, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 898317@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Nicholas Guriev <guriev-ns@ya.ru> (supplier of updated xdg-utils package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Sun, 20 May 2018 01:18:48 +0300
Source: xdg-utils
Binary: xdg-utils
Architecture: source
Version: 1.1.3-1
Distribution: unstable
Urgency: medium
Maintainer: Debian freedesktop.org maintainers <pkg-freedesktop-maintainers@lists.alioth.debian.org>
Changed-By: Nicholas Guriev <guriev-ns@ya.ru>
Description:
xdg-utils - desktop integration utilities from freedesktop.org
Closes: 898317 898999
Changes:
xdg-utils (1.1.3-1) unstable; urgency=medium
.
* New upstream release.
- Avoid argument injection vulnerability in open_envvar.
Fixes CVE-2017-18266, closes: #898317.
* Remove 01-open-lxqt.patch applied by upstream.
* Fix word expansion on KDE in xdg-email. Closes: #898999.
* Bump debhelper and standards version, no modifications for this.
Checksums-Sha1:
d451857efd05c8f95def7b4fda3803c172059367 2059 xdg-utils_1.1.3-1.dsc
98294cf332c341b85e481d98e9ea59357fe1efc7 297170 xdg-utils_1.1.3.orig.tar.gz
70a2599417c77e44a88e527c4b39a587644c36e5 9876 xdg-utils_1.1.3-1.debian.tar.xz
e9173c089d0e93385f15d513f0685a353116da68 5201 xdg-utils_1.1.3-1_source.buildinfo
Checksums-Sha256:
60a01003f5688462347e664fd42762a24578b8f325f473effd956e3bcc958ae5 2059 xdg-utils_1.1.3-1.dsc
d798b08af8a8e2063ddde6c9fa3398ca81484f27dec642c5627ffcaa0d4051d9 297170 xdg-utils_1.1.3.orig.tar.gz
71f5241bac2216c0ba650563b09e3b03be51c4818e532cac8ffad3c0f8d27057 9876 xdg-utils_1.1.3-1.debian.tar.xz
029ae9b73bb4db861d7db75e015249efdfe38bba47afb59509d31152f6dc1702 5201 xdg-utils_1.1.3-1_source.buildinfo
Files:
18cc472814f512cea00630e44565bc8e 2059 utils optional xdg-utils_1.1.3-1.dsc
902042508b626027a3709d105f0b63ff 297170 utils optional xdg-utils_1.1.3.orig.tar.gz
5a8d9c72670240995858ceb3c467ea94 9876 utils optional xdg-utils_1.1.3-1.debian.tar.xz
249c82664980f13a4dfcc533fa6da4e8 5201 utils optional xdg-utils_1.1.3-1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEcJymx+vmJZxd92Q+nUbEiOQ2gwIFAlsBK6AACgkQnUbEiOQ2
gwLSLBAAk6ERendvHbh41u6nO8dlrtu4V0aIkpWQ+1dF9sFbWGDjib4lUAAdC/C9
hD7k+i69aP7L6rtdpxTTf7EXq5YJX1pJvcYENiZO3iZqEEmpKC93/wc78QtVGFZW
tD/t4Le7L6DMN1y+lFNFaNeFZ0Ht+YtJHfl1Qic3Lbxmgk61D3b13I0zKE3wxpnH
KNewe3aeO7XdHfNNS4p/6VTTd9RAR3d3dimalFNS1uZmX1yPO8ejfU5teceHF3/c
8ac2OtAQHi/RG1hjSWDOb6UBpF72XpRp7OnvN6s/hDOCwov0/m70WR8kHuGB9knU
ft0kc8IXZemjfMHm110Yyj+038OS3zan7qBro7Vkye4KHHyPvb3OP8PpVrN+K1M6
solBcfZzECeHMhdFIZxfVOOrFpiFcIvwXOZ2oydlm2gz6IbvaJ6SjwODrM6Aqi4s
a61IcOevlcn7KykN+rWOQaIfBpgqP4w2bn+Qcd5UPJZCUH3KqONUW0KdA7UXmdjp
IVAoYYUGDJDsQvdbRqDBcrd486CC74IWtK+4PwjV36GfldxHb8AcA4/cgmPzKf67
ag74jjFnP+g0JvQZYBeVCnoGJ0SpMJWwchOPo+eOtUrfVO10b6gTZg3F5/Lf/rOE
XiqolP9AXNjZdVXG3euEr9mkZUDm+Mqr3EL5uWh4u/mdVLYODMI=
=qKxW
-----END PGP SIGNATURE-----
Reply sent
to Nicholas Guriev <guriev-ns@ya.ru>:
You have taken responsibility.
(Mon, 28 May 2018 19:51:05 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Mon, 28 May 2018 19:51:05 GMT) (full text, mbox, link).
Message #30 received at 898317-close@bugs.debian.org (full text, mbox, reply):
Source: xdg-utils
Source-Version: 1.1.1-1+deb9u1
We believe that the bug you reported is fixed in the latest version of
xdg-utils, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 898317@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Nicholas Guriev <guriev-ns@ya.ru> (supplier of updated xdg-utils package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Sun, 20 May 2018 12:44:40 +0300
Source: xdg-utils
Binary: xdg-utils
Architecture: source all
Version: 1.1.1-1+deb9u1
Distribution: stretch-security
Urgency: high
Maintainer: Per Olofsson <pelle@debian.org>
Changed-By: Nicholas Guriev <guriev-ns@ya.ru>
Description:
xdg-utils - desktop integration utilities from freedesktop.org
Closes: 898317
Changes:
xdg-utils (1.1.1-1+deb9u1) stretch-security; urgency=high
.
* Fix CVE-2017-18266, closes: #898317.
- Avoid argument injection vulnerability in open_envvar()
Checksums-Sha1:
d8c3f9a77394c9c50def7615b0ac4d861426514d 1957 xdg-utils_1.1.1-1+deb9u1.dsc
0f046491a4f43475f6371f3fb345cb26cedb5114 295213 xdg-utils_1.1.1.orig.tar.gz
b69e4e2119c63e0c12f4bb05363477ca85e07923 8868 xdg-utils_1.1.1-1+deb9u1.debian.tar.xz
159da8cc25cb51708753ad780882185cf7666c4c 71180 xdg-utils_1.1.1-1+deb9u1_all.deb
623c70589dbcac044791e059b3e2ab6f8c6ce771 6129 xdg-utils_1.1.1-1+deb9u1_amd64.buildinfo
Checksums-Sha256:
8c75332c4a78a6daef7d4a7a463179d15659ee1b9a557ef1c6aba3dee1f6836b 1957 xdg-utils_1.1.1-1+deb9u1.dsc
b0dd63a2576e0bb16f1aa78d6ddf7d6784784a098d4df17161cd6a17c7bc4125 295213 xdg-utils_1.1.1.orig.tar.gz
e20f1e9bf1f45f0b31660e0a9397f9703654386ec5b7f2bd31b845abb3a72b36 8868 xdg-utils_1.1.1-1+deb9u1.debian.tar.xz
861e85d98181d53f961e4a65fa960b20141ef1c57fc06e2b4ecc9ffca9097b5b 71180 xdg-utils_1.1.1-1+deb9u1_all.deb
bc210cf7bf60c238dcceb2691ca7944ea19e86a47f4eb5fb8a3cdddbe3fcf033 6129 xdg-utils_1.1.1-1+deb9u1_amd64.buildinfo
Files:
cda13a54a7e9a7d89f3f41fcfe83312f 1957 utils optional xdg-utils_1.1.1-1+deb9u1.dsc
2d0aec6037769a5f138ff404b1bb4b15 295213 utils optional xdg-utils_1.1.1.orig.tar.gz
223cc9ca65932fb2df5288efa4536ba2 8868 utils optional xdg-utils_1.1.1-1+deb9u1.debian.tar.xz
6405e2af12eadf65455de2903499818b 71180 utils optional xdg-utils_1.1.1-1+deb9u1_all.deb
4656060321e9cdb367406ed58fb6ec1c 6129 utils optional xdg-utils_1.1.1-1+deb9u1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEayzFlnvRveqeWJspbsLe9o/+N3QFAlsHpvUACgkQbsLe9o/+
N3RDNw//eTO3Dj49Tlm4FXigAvoPCW8p7AvGnNG4hvMuCIzTRZXBUIu7UgQBQs8d
GMy7VSMvSwd99k+cQjUZX0lChmqmhpoPwEghZdyWFRbG2axCPQUYu8LdyVRNQQT5
IgNR1IGRpnTtRAvKuaUjDAJuXYWRQ2fn+wD/sJSBKmrwUcmCKoU1xwSpQ6UlHlST
2NTCTmY3n4IvGMjqTI20/gYsK5lPbxrCyY2uQ1EejHpgvNDSaC4fyjhoAd+MoU/Y
Ord5lcKy/Vq/HXlO71k1Usyl67cRHN3k3Wy2f/4Q5qHUnZkC7g9U3CwEAKrXqUAu
IlTYXStokJe9D6/ekeHIK2/7SomaWI4Iwom2wTeQ7BPU81jh4F4CJh4y/MjDbREW
/MIDiE8kGjsEk5yj75FHwXuhJyNV00jpniIUvZrOtO7rmj5jWoFdU8Di59KxYzQv
2tlrcnMapnj6WtpbOtWxiTvnQSDulOD8lVYI9VJXtJBvgzLD9OP4NOg7TeOkmdn1
AdOgw9NdE5CH9ToHklF3MSi5JwUYhJOpVHQuqrzvRIwMYtRZqyi39x5KmwbRlUXL
Dm/CoH829yg3NB2jBEADjc1gJ0Uzl6YT+I1YTcWsp4U82zVc9wwzO7C7ac3wJQSv
Nk1th5Vm2O1Yxhin/U5dsoSuN2SpOjPlWXhSQ4mW+9MkkhOU+Lc=
=kxbx
-----END PGP SIGNATURE-----
Reply sent
to Nicholas Guriev <guriev-ns@ya.ru>:
You have taken responsibility.
(Mon, 28 May 2018 21:21:13 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Mon, 28 May 2018 21:21:13 GMT) (full text, mbox, link).
Message #35 received at 898317-close@bugs.debian.org (full text, mbox, reply):
Source: xdg-utils
Source-Version: 1.1.0~rc1+git20111210-7.4+deb8u1
We believe that the bug you reported is fixed in the latest version of
xdg-utils, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 898317@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Nicholas Guriev <guriev-ns@ya.ru> (supplier of updated xdg-utils package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Sun, 20 May 2018 22:49:00 +0300
Source: xdg-utils
Binary: xdg-utils
Architecture: source all
Version: 1.1.0~rc1+git20111210-7.4+deb8u1
Distribution: jessie-security
Urgency: high
Maintainer: Per Olofsson <pelle@debian.org>
Changed-By: Nicholas Guriev <guriev-ns@ya.ru>
Description:
xdg-utils - desktop integration utilities from freedesktop.org
Closes: 898317
Changes:
xdg-utils (1.1.0~rc1+git20111210-7.4+deb8u1) jessie-security; urgency=high
.
* Fix CVE-2017-18266, closes: #898317.
- Avoid argument injection vulnerability in open_generic.
Checksums-Sha1:
dba6972fea0f2d20299c7affa1e0388c2ccf67a7 2055 xdg-utils_1.1.0~rc1+git20111210-7.4+deb8u1.dsc
5ff3bdce38395b73ebc499fd206685e4eb5ebfc5 327534 xdg-utils_1.1.0~rc1+git20111210.orig.tar.gz
45dbbceb3225a7f9171d35fd46d0376503cc5514 11252 xdg-utils_1.1.0~rc1+git20111210-7.4+deb8u1.debian.tar.xz
bb7ae3db35eb1542a04dfbeb4def048abcfd4a17 65110 xdg-utils_1.1.0~rc1+git20111210-7.4+deb8u1_all.deb
Checksums-Sha256:
66850bb305d93ff4df0b9d29c4d18c3efd84afba7f355fd62e12b6948238f79a 2055 xdg-utils_1.1.0~rc1+git20111210-7.4+deb8u1.dsc
cb1a9898d5c6dbf23d924e3d6b12df8ea2ab883380bda1f0d4b010bd86fd2015 327534 xdg-utils_1.1.0~rc1+git20111210.orig.tar.gz
2c9d57629b2502dc0261ec75beab90dd32c9cac73d7a93434015b7d62ed26282 11252 xdg-utils_1.1.0~rc1+git20111210-7.4+deb8u1.debian.tar.xz
6cbf2baff396f0e439ee3d46a16b070ef4b07b11cf83fcc11a22190a6e27b8b5 65110 xdg-utils_1.1.0~rc1+git20111210-7.4+deb8u1_all.deb
Files:
cbe337a0735790cf7dccf46e0c9d81e9 2055 utils optional xdg-utils_1.1.0~rc1+git20111210-7.4+deb8u1.dsc
1238359ea2c99246e1ba8292c4eabd32 327534 utils optional xdg-utils_1.1.0~rc1+git20111210.orig.tar.gz
d93a269cacfbec85e8434728b607fa62 11252 utils optional xdg-utils_1.1.0~rc1+git20111210-7.4+deb8u1.debian.tar.xz
ebf3afb1f58846f04f7e4c8d2a6b3d20 65110 utils optional xdg-utils_1.1.0~rc1+git20111210-7.4+deb8u1_all.deb
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEayzFlnvRveqeWJspbsLe9o/+N3QFAlsHpuYACgkQbsLe9o/+
N3T02BAAjfFgG+q8QvqPvhpqTk9fHF+rUvDeTwDMFR+ItGVUoqzIeC4/eLVv2as+
3AdvXpwl70olFmMaF7/XNo62XVKi2G5MLCVAXN05TNV3YLgbDEUhsznCXFKQKM4m
xwHI7G62kZTasMkIJ6JDq3IxXRmKGqLpKaQIjtmBHY2muLAvhdQkM1w0lqWYO6ks
KjWNciv3HAyDa3pIJWm9FlAosu45K9U/vBiRNlnKe+kjOUVjScxlwkE+zZtc/5pM
cjzkOEDsRP/zhONG269ulA/1HW9JNHVRCpp1kkRKMr7NYkasZT0J3WWD6/GjXjHg
Z0zrNxvYCmYkAY8990E5qOrfTz11qHoNfAUgZRBI2enKJ/o9osUO+1OeyOFv7dmN
+KaEL1iVpbvWvy5jZMrfgbREEMMnmjkKS+ctnpndeL7jcH2gPvubDzKxsCzse4f3
0wIIJcvIMpZGf8TIcGc7KSeDMlGT9y30cbS1Y/cbk4Dc3aXn4v6I0vy3sfA02wdE
8TgZfsGEWP5cdIGwCJG3hhdyVC0AKNZjPpbnbgHNicMV6KvaesgslK0dcEtR2KVz
LguJU2nHgb68euc388Duj391MunCEDWZb2NMUXXpCxDsVDJD1DyovNC7bv4Tta5q
g6WjS9umCeqlUiSx4mammCtUpgFpk5S+zrSKhjx6+QPxJmd/jys=
=An3J
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Tue, 26 Jun 2018 07:26:38 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 14:37:12 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon