xdg-utils: CVE-2014-9622: command injection vulnerability

Debian Bug report logs - #773085
xdg-utils: CVE-2014-9622: command injection vulnerability

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Michael Gilbert <mgilbert@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: xdg-utils: command injection vulnerability

Date: Sun, 14 Dec 2014 00:32:20 -0500

package: src:xdg-utils
severity: serious
version: 1.0.2+cvs20100307-2
control: tag -1 patch
control: forwarded -1 https://bugs.freedesktop.org/show_bug.cgi?id=66670

A command injection issue was disclosed for xdg-open:
http://seclists.org/fulldisclosure/2014/Nov/36

Patch for testing here:
https://bugs.freedesktop.org/attachment.cgi?id=109536

Best wishes,
Mike

Message #14 received at 773085@bugs.debian.org (full text, mbox, reply):

From: Michael Gilbert <mgilbert@debian.org>

To: 773085@bugs.debian.org

Subject: Re: Bug#773085: xdg-utils: command injection vulnerability

Date: Wed, 31 Dec 2014 18:12:41 -0500

[Message part 1 (text/plain, inline)]

control: tag -1 pending

On Sun, Dec 14, 2014 at 12:32 AM, Michael Gilbert wrote:
> A command injection issue was disclosed for xdg-open:
> http://seclists.org/fulldisclosure/2014/Nov/36
>
> Patch for testing here:
> https://bugs.freedesktop.org/attachment.cgi?id=109536

Hi, I prepared an update fixing this, which I'll plan to upload to
delayed in a few days, but would appreciate review and testing
beforehand.  Please see attached.

Best wishes,
Mike

[xdg-utils.patch (text/x-patch, attachment)]

Message #25 received at 773085-close@bugs.debian.org (full text, mbox, reply):

From: Michael Gilbert <mgilbert@debian.org>

To: 773085-close@bugs.debian.org

Subject: Bug#773085: fixed in xdg-utils 1.1.0~rc1+git20111210-7.2

Date: Fri, 02 Jan 2015 19:18:34 +0000

Source: xdg-utils
Source-Version: 1.1.0~rc1+git20111210-7.2

We believe that the bug you reported is fixed in the latest version of
xdg-utils, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 773085@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Michael Gilbert <mgilbert@debian.org> (supplier of updated xdg-utils package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Wed, 31 Dec 2014 22:42:44 +0000
Source: xdg-utils
Binary: xdg-utils
Architecture: source all
Version: 1.1.0~rc1+git20111210-7.2
Distribution: unstable
Urgency: medium
Maintainer: Per Olofsson <pelle@debian.org>
Changed-By: Michael Gilbert <mgilbert@debian.org>
Description:
 xdg-utils  - desktop integration utilities from freedesktop.org
Closes: 773085
Changes:
 xdg-utils (1.1.0~rc1+git20111210-7.2) unstable; urgency=medium
 .
   * Non-maintainer upload by the Security Team.
   * Fix command injection vulnerability in xdg-open (closes: #773085).
Checksums-Sha1:
 3669f68b8eb124425b668f232998e4febc0d8850 2704 xdg-utils_1.1.0~rc1+git20111210-7.2.dsc
 a13ef5b1e4a4a0727c0ff9e0918de4fda945ca74 9732 xdg-utils_1.1.0~rc1+git20111210-7.2.debian.tar.xz
 35ccdf8c1a31012b18cb5d11acd9dfa406357217 64642 xdg-utils_1.1.0~rc1+git20111210-7.2_all.deb
Checksums-Sha256:
 0404d7c46bc23738b3ba37177b67f4b750855be80a63f61ecc21243d861a9bf8 2704 xdg-utils_1.1.0~rc1+git20111210-7.2.dsc
 8134b236e6ced3f2cab1a4ea25eeef265dbb3ff11ecf5b13d569dbe4c3ad6973 9732 xdg-utils_1.1.0~rc1+git20111210-7.2.debian.tar.xz
 f7af08365bc64835c974aeb3ea38d229edb8bf2e05e5ad9cddbc5051fcddd158 64642 xdg-utils_1.1.0~rc1+git20111210-7.2_all.deb
Files:
 b63bd67c6db3f9fdcae23fd7079f0c1d 2704 utils optional xdg-utils_1.1.0~rc1+git20111210-7.2.dsc
 7411e979829c692a87f37dba66ee7975 9732 utils optional xdg-utils_1.1.0~rc1+git20111210-7.2.debian.tar.xz
 f8af2688978c56e4fdf9d29b5cc86ad8 64642 utils optional xdg-utils_1.1.0~rc1+git20111210-7.2_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQQcBAEBCgAGBQJUpuxrAAoJELjWss0C1vRzpH8f/iQbuuRMqDy4IqsBH5Qps7Eo
tpmGMjoN4WZVIBtTPW0nODo0uQpH+1y9qyPdyjrCFwjdhXAKn5EE185ZzHk1ft5c
mcb58QoHAQaCuZqgi2gv8ZwxZ/LYFPS++Eu2iQTfV+8gld0WvNx79TI+C+8ONtJ+
g4yoYfjd3bQpCcoV76WAPhfXl+sbYFqF1chsLrv+E4x24LtB35d8NrqazUTBjskg
da2gm48FFEaX3GlcYx2jvl3ccwt8XN8ZSClC14XIJfr94AeL0OJAgzHVlAH2BwzD
PEeYOvJCrLvTBiPzxGc9Yf5ccp9P8vo23AH0kJSVR6F4YBOnPKHyUD2zJP79BQA1
6Mm6n7HBFZmpp4TQe6g8wVmaHC2wHMgfml7bZSbMitm3TjW36JTO9rcu8Jw9PwOu
9yrA0JnMeIlHHNexFhD6fKxs9/thEQQZarhrL7YNKc3RUOW5uHkfSpv/npkSqK/e
4SMyBZp+B90c6dJ861hTZtACmFq6fTBohvGCHIeZsxFUJQhbPd7aFb+yUlPRSc8t
3VOzeGA8Jf4g7H//D8ha1Zw3kuTJsRswZLz37Un98kDrcK1vQrUGWPaPyiCRIZ7u
ijYnxIz1qBgR7h5TBbTlb/bx5xq3Rdzjey5kT6/L17ntSClEpgphIWizEIGliNeK
TVaeIBlJzyy4M3O6brZPrpVGk+hWGZ57UwKp9bsznfx16KwMKaeHtDtv00MIJMyV
FslU6vhKJ5ipNT3j7CQeCf5vf/0Av+MGZB6SqslO0sbWxf5hFwLeGH/ANKxFPMr8
3h4zL4+3Vs4sRBg8wPXs1Ze74g24UV22oNMaLvJLkDLwazfn/vEoXgod2M/Nv5xV
BK9MKq2u9lA4emUbYoMQSCINa/GYxz8NsyHACOA4OhsHdXyynZwg7W1fCxHXH+7U
03iwQRs/Z1GpHc+GyshF+e9/GJ4aELHFzRuR5oaU7Pp0aYlC8T8POmQM70KTJEpy
sRS5rV4erRPMiILLFlpBxF6SbN1h55fhv1Ic7hrthiJHVzmeN/kRwH7UEFeSWS3C
1ijtu1XSEFrMU7qpB1ChnIuuYgjvwJzqO53vVFFabor4LMZmOJ8gmgQ5SONLtsWV
XfcO+20CK7exqjwyTMZLSqyjxEsYXYa6CKTDnqMpjkZw8FVeKbbnh4SVfg8MkVFR
ZemPRymvZokR78JP0UA67pNPx+lkBKihNWtT+Uvvwy33WswrjW8GdPLdwZZTU0GO
HAiJxwUI9itO0KaNYcoDABGLldpIUxETnRKmRVUUUW7ZmxppufD6qLosyegUN2n9
3FPwWG9xY1ojtKsJwwMzxuAWgo1Fb63EEPZ4PhcsgnZAi5pZ/DAD0W1D/1Rcig0=
=RNmb
-----END PGP SIGNATURE-----

Message #30 received at 773085@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: 773085@bugs.debian.org

Cc: Michael Gilbert <mgilbert@debian.org>

Subject: Regression in escaped url handling with patch applied for #773085

Date: Sat, 3 Jan 2015 17:31:20 +0100

Control: reopen -1

Hi Mike

I played around today for checking the xdg-open issue also for wheezy,
and noticed that the approach introduces a regression.

Steps for reproducing the issue:

$ xdg-mime default chromium.desktop x-scheme-handler/http
$ xdg-mime query default x-scheme-handler/http
chromium.desktop
$ DE='generic' XDG_CURRENT_DESKTOP="" xdg-open 'http://bugs.debian.org/cgi-bin/pkgreport.cgi?src=xdg-utils&repeatmerged=no'

Without the patch applied, the page correctly is opened. If doing so
the same with the applied patch chromium get passed as argument
'$sed_escaped_url', and xdg-open executes /usr/bin/chromium
'$sed_escaped_url'.

I have not checked yet, but it might be that upstream had some
additional commits in the surrounding code for handling the arguments
differently.

Regards,
Salvatore

Message #39 received at 773085@bugs.debian.org (full text, mbox, reply):

From: Vincent Bernat <bernat@debian.org>

To: Salvatore Bonaccorso <carnil@debian.org>

Cc: 773085@bugs.debian.org, Michael Gilbert <mgilbert@debian.org>

Subject: Re: Bug#773085: Regression in escaped url handling with patch applied for #773085

Date: Sat, 03 Jan 2015 23:22:35 +0100

[Message part 1 (text/plain, inline)]

 ❦  3 janvier 2015 17:31 +0100, Salvatore Bonaccorso <carnil@debian.org> :

> Steps for reproducing the issue:
>
> $ xdg-mime default chromium.desktop x-scheme-handler/http
> $ xdg-mime query default x-scheme-handler/http
> chromium.desktop
> $ DE='generic' XDG_CURRENT_DESKTOP="" xdg-open 'http://bugs.debian.org/cgi-bin/pkgreport.cgi?src=xdg-utils&repeatmerged=no'
>
> Without the patch applied, the page correctly is opened. If doing so
> the same with the applied patch chromium get passed as argument
> '$sed_escaped_url', and xdg-open executes /usr/bin/chromium
> '$sed_escaped_url'.

I don't understand how the proposed patch would work. $arg_one (or
$sed_escaped_url) is singly quoted and therefore cannot be
expanded.

If I modify the first chunk of the patch, it works as expected:

arguments_exec="$(echo "$arguments" | sed -e 's*%[fFuU]*'"$sed_escaped_url"'*g')"

(this is not like the initial chunk, I don't quote the argument.

xdg-open 'http://www.example.com/$(xterm)' works as expected.

However, the whole stuff is quite fragile. I can't say for sure if
spaces would do something good or bad, but a star would not work. Here
is an improved version which is easier to understand.

#+begin_src sh
file=/usr/share/applications/chromium.desktop

# Safe quoting. We just enclose into single quotes the given argument
# and escape single quotes.
quote() {
    printf %s\\n "$1" | sed "s/'/'\\\\''/g;1s/^/'/;\$s/\$/'/"
}

arg="$1"
set -- $(sed -n 's/^Exec\(\[[^]]*\]\)\{0,1\}=//p' "$file")
cmd="$(which "$1" 2> /dev/null)"
[ -n "$cmd" ] || exit 2
shift
args=""
while [ $# -gt 0 ]; do
    case $1 in
        %[fFuU])
            args="$args $(quote "$arg")"
            ;;
        *)
            args="$args $(quote "$1")"
            ;;
    esac
    shift
done
"$cmd" $args
#+end_src

The "set" is just here to let the shell do the quoting. If no
replacement was needed, we could just "$cmd" "$@" after the first shift
and be done. Unfortunately, with just a POSIX shell, the replacement of
the positional argument is difficult. Instead, we build the list of args
by quoting correctly each of them. Then, it can be executed.

Using bash would be more straightforward since we could stack our
arguments into an array and modify this array to substitute %U and the
like.
-- 
The surest protection against temptation is cowardice.
		-- Mark Twain

[signature.asc (application/pgp-signature, inline)]

Message #46 received at 773085@bugs.debian.org (full text, mbox, reply):

From: Michael Gilbert <mgilbert@debian.org>

To: Salvatore Bonaccorso <carnil@debian.org>, 773085@bugs.debian.org

Subject: Re: Bug#773085: Regression in escaped url handling with patch applied for #773085

Date: Sun, 4 Jan 2015 14:29:59 -0500

control: tag -1 help

On Sat, Jan 3, 2015 at 11:31 AM, Salvatore Bonaccorso wrote:
> I played around today for checking the xdg-open issue also for wheezy,
> and noticed that the approach introduces a regression.

Hi Salvatore,

Thanks for the review.  The upstream patch as Vincent mentions has the
same design flaw, and there is a straightforward fix he also suggests,
but the fragility overall is a concern and time should be spent on a
more robust fix.

I wont' have time to look at this for a couple days, so help is appreciated.

Best wishes,
Mike

Message #53 received at 773085@bugs.debian.org (full text, mbox, reply):

From: Vincent Bernat <bernat@debian.org>

To: Michael Gilbert <mgilbert@debian.org>

Cc: Salvatore Bonaccorso <carnil@debian.org>, 773085@bugs.debian.org

Subject: Re: Bug#773085: Regression in escaped url handling with patch applied for #773085

Date: Tue, 06 Jan 2015 15:50:22 +0100

[Message part 1 (text/plain, inline)]

 ❦  4 janvier 2015 14:29 -0500, Michael Gilbert <mgilbert@debian.org> :

>> I played around today for checking the xdg-open issue also for wheezy,
>> and noticed that the approach introduces a regression.
>
> Hi Salvatore,
>
> Thanks for the review.  The upstream patch as Vincent mentions has the
> same design flaw, and there is a straightforward fix he also suggests,
> but the fragility overall is a concern and time should be spent on a
> more robust fix.

My simple modification doesn't work as expected if the file name
contains spaces.

> I wont' have time to look at this for a couple days, so help is
> appreciated.

I'll come with a patch then.
-- 
Make sure comments and code agree.
            - The Elements of Programming Style (Kernighan & Plauger)

[signature.asc (application/pgp-signature, inline)]

Message #58 received at 773085@bugs.debian.org (full text, mbox, reply):

From: Vincent Bernat <bernat@debian.org>

To: Salvatore Bonaccorso <carnil@debian.org>

Cc: 773085@bugs.debian.org, Michael Gilbert <mgilbert@debian.org>

Subject: Re: Bug#773085: Regression in escaped url handling with patch applied for #773085

Date: Thu, 08 Jan 2015 08:50:58 +0100

[Message part 1 (text/plain, inline)]

Control: tags -1 + patch

 ❦  3 janvier 2015 23:22 +0100, Vincent Bernat <bernat@debian.org> :

> However, the whole stuff is quite fragile. I can't say for sure if
> spaces would do something good or bad, but a star would not work. Here
> is an improved version which is easier to understand.

I have found a way to be even more concise and don't rely on any "magic"
(other that "$@" being the only array in a POSIX shell). Here is a
patch.

The first change is to let the shell do the splitting of the command in
the .desktop file (set -- $(sed ...)).

The second change is to use "$@" behaving like an array. We cannot
modify this array but we can append to it (with set -- "$@"
"$newarg"). Basically, we take $command_exec and then shift. Then, we
iterate on each argument using a counter and if the argument needs to be
modified (because this is the place holder), we append the modified
version, otherwise, we append it unmodified. At the end, "$@" is the
array of arguments to be passed to "$command_exec". If no replacement
has happened, we also append the target file.

No magic quoting is done, no evaluation. I think this is a safe
alternative to the current script. I can also push it upstream.

Per, I see that you committed to git yesterday. Would you take the patch
as is or do you want me to do an NMU?

[xdg-open-safe.patch (text/x-diff, inline)]

--- /usr/bin/xdg-open	2015-01-03 22:22:18.513474060 +0100
+++ ./xdg-open	2015-01-08 08:42:47.513093876 +0100
@@ -526,6 +526,7 @@
 
 open_generic_xdg_mime()
 {
+    target="$1"
     filetype="$2"
     default=`xdg-mime query default "$filetype"`
     if [ -n "$default" ] ; then
@@ -546,17 +547,34 @@
             fi
 
             if [ -r "$file" ] ; then
-                command="`grep -E "^Exec(\[[^]=]*])?=" "$file" | cut -d= -f 2- | first_word`"
-                command_exec=`which $command 2>/dev/null`
-                arguments="`grep -E "^Exec(\[[^]=]*])?=" "$file" | cut -d= -f 2- | last_word`"
-                local sed_escaped_url="$(echo "$1" | sed -e 's/[&\\]/\\&/g')"
-                arguments_exec="$(echo "$arguments" | sed -e 's*%[fFuU]*'"$sed_escaped_url"'*g')"
+                set -- $(sed -n 's/^Exec\(\[[^]]*\]\)\{0,1\}=//p' "$file")
+                command_exec="$(which "$1" 2> /dev/null)"
                 if [ -x "$command_exec" ] ; then
-                    if echo $arguments | grep -iq '%[fFuU]' ; then
-                        eval '$command_exec' '$arguments_exec'
-                    else
-                        eval '$command_exec' '$arguments_exec' '"$1"'
-                    fi
+                    shift
+                    # We need to replace any occurrence of "%f", "%F" and
+                    # the like by the target file. We examine each
+                    # argument and append the modified argument to the
+                    # end then shift.
+                    args=$#
+                    replaced=0
+                    while [ $args -gt 0 ]; do
+                        case $1 in
+                            %[fFuU])
+                                replaced=1
+                                arg="$target"
+                                shift
+                                set -- "$@" "$arg"
+                                ;;
+                            *)
+                                arg="$1"
+                                shift
+                                set -- "$@" "$arg"
+                                ;;
+                        esac
+                        args=$(( $args - 1 ))
+                    done
+                    [ $replaced -eq 1 ] || set -- "$@" "$target"
+                    "$command_exec" "$@"
 
                     if [ $? -eq 0 ]; then
                         exit_success

[Message part 3 (text/plain, inline)]

-- 
Make sure all variables are initialised before use.
            - The Elements of Programming Style (Kernighan & Plauger)

[signature.asc (application/pgp-signature, inline)]

Message #65 received at 773085@bugs.debian.org (full text, mbox, reply):

From: Vincent Bernat <bernat@debian.org>

To: Salvatore Bonaccorso <carnil@debian.org>

Cc: 773085@bugs.debian.org, Michael Gilbert <mgilbert@debian.org>

Subject: Re: Bug#773085: Regression in escaped url handling with patch applied for #773085

Date: Sat, 10 Jan 2015 16:28:51 +0100

[Message part 1 (text/plain, inline)]

 ❦  8 janvier 2015 08:50 +0100, Vincent Bernat <bernat@debian.org> :

> Per, I see that you committed to git yesterday. Would you take the patch
> as is or do you want me to do an NMU?

I have just uploaded an NMU to delayed/2. Works for me.
-- 
Zounds!  I was never so bethumped with words
since I first called my brother's father dad.
		-- William Shakespeare, "Kind John"

[signature.asc (application/pgp-signature, inline)]

Message #70 received at 773085-close@bugs.debian.org (full text, mbox, reply):

From: Vincent Bernat <bernat@debian.org>

To: 773085-close@bugs.debian.org

Subject: Bug#773085: fixed in xdg-utils 1.1.0~rc1+git20111210-7.3

Date: Mon, 12 Jan 2015 15:48:50 +0000

Source: xdg-utils
Source-Version: 1.1.0~rc1+git20111210-7.3

We believe that the bug you reported is fixed in the latest version of
xdg-utils, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 773085@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Vincent Bernat <bernat@debian.org> (supplier of updated xdg-utils package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Sat, 10 Jan 2015 16:21:20 +0100
Source: xdg-utils
Binary: xdg-utils
Architecture: source all
Version: 1.1.0~rc1+git20111210-7.3
Distribution: unstable
Urgency: medium
Maintainer: Per Olofsson <pelle@debian.org>
Changed-By: Vincent Bernat <bernat@debian.org>
Description:
 xdg-utils  - desktop integration utilities from freedesktop.org
Closes: 773085
Changes:
 xdg-utils (1.1.0~rc1+git20111210-7.3) unstable; urgency=medium
 .
   * Non-maintainer upload.
   * Fix command injection vulnerability in xdg-open (closes: #773085).
Checksums-Sha1:
 063cc6844ab83011f0dd214ce27918556a6099e0 2013 xdg-utils_1.1.0~rc1+git20111210-7.3.dsc
 c689ecf7209d556b540d72145dc10fb6950262ea 10604 xdg-utils_1.1.0~rc1+git20111210-7.3.debian.tar.xz
 0ab7cbb2bed5d198a2b1393cb138d81306ac3798 65018 xdg-utils_1.1.0~rc1+git20111210-7.3_all.deb
Checksums-Sha256:
 f037b949018085593eafc086a8cd45e1e33f8e88a18c8455ba138345998a9bf3 2013 xdg-utils_1.1.0~rc1+git20111210-7.3.dsc
 92730d55b500903663bd6302d46182bfbcce9f480d03b5e10d9e469803597015 10604 xdg-utils_1.1.0~rc1+git20111210-7.3.debian.tar.xz
 6b26be9711da4c6a93b239f75832cc6d76dc6ca07cbd59d5b5dcb1cc76337575 65018 xdg-utils_1.1.0~rc1+git20111210-7.3_all.deb
Files:
 508606c837d547e0bbff6aa41fdb7513 2013 utils optional xdg-utils_1.1.0~rc1+git20111210-7.3.dsc
 b12b55a8649e9c3b280e1d9f0c85be98 10604 utils optional xdg-utils_1.1.0~rc1+git20111210-7.3.debian.tar.xz
 7c6a5462ba43df99cf02485b9f84b8c5 65018 utils optional xdg-utils_1.1.0~rc1+git20111210-7.3_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJUsUT5AAoJEJWkL+g1NSX5NGgP/2VkEASee0xd7moySoeofbEj
hMt8kNvloZr/2WiXQ0kjyN6OMCRhCklo4unUrXZb9PkCcUR2GqVWJdJ0XWvPHt4M
oHGs2qJZqHJx1TfJ1kJhdCDH08EoXErmuK2clS83I/mN1QUJKhJ2+YvBuf8ofhlu
1ztxH1LbI04Ms/QhdyO0iOOctz1xs0y1VgGIJ4lyo49K1iqv0KpPPqt8fkT7c0k1
ipFU/n9zickAAFU6w8qGi7uGz2TligrNY1WMiR1Sh49PP+rgkTi/jB+WDBe1BWBR
Sil5relnLhJs0UemoRp/IAz63UrMQpJOmkbYKd8VXJ5l/N7uj/RjPU7hH3fV5GOi
wLVFF1oXAT3XH/YVyWDYpV9MWs2wrYTnBXCAKshUqeVQHiGjt3o60m90iUz3Lr3i
zagEoPkmStaydMsgedHG/sSbR7RQkhqVXS9drXZ945z0a53OuokCXCd7KjIMNQFL
Da8Y/D7sE/kGDre/2vmMqxCZAFWv2Vjn74tsgNvub+xmxb3aNTMuovyXdhsF+/4M
Lie/1zNvm+q80hzFB4Cfv/EPa7Q+hHvYLOAZ583aq4iIPrzXmG6xd5xF90LjdNq3
jA9o1rxk2VLFyT7MMN+z5STkG9SD9Etd/g31nJ7O7iPT2djLu7/FICv4G8WY+XJo
sCRM4BL/8bxmEzl6RO2a
=mnt3
-----END PGP SIGNATURE-----

Message #77 received at 773085-close@bugs.debian.org (full text, mbox, reply):

From: Michael Gilbert <mgilbert@debian.org>

To: 773085-close@bugs.debian.org

Subject: Bug#773085: fixed in xdg-utils 1.1.0~rc1+git20111210-6+deb7u2

Date: Tue, 20 Jan 2015 21:17:12 +0000

Source: xdg-utils
Source-Version: 1.1.0~rc1+git20111210-6+deb7u2

We believe that the bug you reported is fixed in the latest version of
xdg-utils, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 773085@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Michael Gilbert <mgilbert@debian.org> (supplier of updated xdg-utils package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sun, 18 Jan 2015 23:02:46 +0000
Source: xdg-utils
Binary: xdg-utils
Architecture: source all
Version: 1.1.0~rc1+git20111210-6+deb7u2
Distribution: stable-security
Urgency: high
Maintainer: Per Olofsson <pelle@debian.org>
Changed-By: Michael Gilbert <mgilbert@debian.org>
Description: 
 xdg-utils  - desktop integration utilities from freedesktop.org
Closes: 773085
Changes: 
 xdg-utils (1.1.0~rc1+git20111210-6+deb7u2) stable-security; urgency=high
 .
   * Non-maintainer upload by the security team.
   * Fix command injection vulnerability in xdg-open (closes: #773085).
Checksums-Sha1: 
 027362d50c30e281cd5f7e9772ba591d98d60f31 2722 xdg-utils_1.1.0~rc1+git20111210-6+deb7u2.dsc
 5ff3bdce38395b73ebc499fd206685e4eb5ebfc5 327534 xdg-utils_1.1.0~rc1+git20111210.orig.tar.gz
 bcc8b500688e4fde726ab4b7fe633c0091fd01f0 11566 xdg-utils_1.1.0~rc1+git20111210-6+deb7u2.debian.tar.gz
 4f95e3527409fdfa613ba6294dc1e5463197f70f 82480 xdg-utils_1.1.0~rc1+git20111210-6+deb7u2_all.deb
Checksums-Sha256: 
 0a82f5c4c1c0de7ae6b88f7cc4733363ef7a93b67fcc161745243b41a248e1d5 2722 xdg-utils_1.1.0~rc1+git20111210-6+deb7u2.dsc
 cb1a9898d5c6dbf23d924e3d6b12df8ea2ab883380bda1f0d4b010bd86fd2015 327534 xdg-utils_1.1.0~rc1+git20111210.orig.tar.gz
 bbd8793ba4d7ddf42615a2e778ee0e0e75f9510cf455a2a14d67c490b7b629f9 11566 xdg-utils_1.1.0~rc1+git20111210-6+deb7u2.debian.tar.gz
 1bcd90e7d198af7d9b79588b460a5254e4ee3b7d9bf52bcf47e04c1ed8db732b 82480 xdg-utils_1.1.0~rc1+git20111210-6+deb7u2_all.deb
Files: 
 4421e1c14118c6d9900e11aa4940000d 2722 utils optional xdg-utils_1.1.0~rc1+git20111210-6+deb7u2.dsc
 1238359ea2c99246e1ba8292c4eabd32 327534 utils optional xdg-utils_1.1.0~rc1+git20111210.orig.tar.gz
 8fa0e0783519c073636eedfb8b502433 11566 utils optional xdg-utils_1.1.0~rc1+git20111210-6+deb7u2.debian.tar.gz
 e015fcc8f6794eae92fd0cfa891f5098 82480 utils optional xdg-utils_1.1.0~rc1+git20111210-6+deb7u2_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQQcBAEBCgAGBQJUvD3NAAoJELjWss0C1vRzREwf/jFQ01WcHTHMW0LJA+E8pIur
WkSCQaX4DX06JRoD8dhedm6abcxU6RGYZcK+YOwbyqlRW/e5ESMNN3r4r9W/LwWu
lG8+FYY6drtycYSCGpR/vikj6X2sZFOBG0rfWaceKWNMyWXnOO4pMR6RY6ZXpsOk
nR7OMmJhKFlBtxUJRAazksnJ4oqu1QnTdz14BqOYK/4md4vdtQ3vfGEA9i0Ym45l
dbJuimywZAW9IG79yRqlwGJ5lUSBWlgp4KvmSwsTvEwQvVO772C/kK2SF2FrzdP7
Ud7bZvUz3nG3yTFLNadF3M6ANtI88YIECQwg6EunXZ28NuD2YXgeJX0P0U7q9hNI
LNZ3QEcRH4huuvUFmia9lCQk26a6vIl4braXdcQ9BXsqiSoUAzAKpS5DxGCz58yk
FF+25m6kuN81tKdKbORSeXiMgXHNRIDnCNdmldZunKyBb/EtCB0v2KZfQ3j9ho6v
y3W5/kBy/w13r4C8dYOQZ+jVrJZxW0Y5XfiTeYVIfL8WXhyiRkpQo0Ci9nl2Vq1B
Rqnpw0YJgb2orC/UiGztK1PrL9mfm860sYodJVPmhkJiAAuhRfAa6BzZu+pvnUbP
z0omCkV0IZyVqny/5hx0lwcQFO6h+sKaBgtCiszdrUQkMNKtw4/5B41dnHhPRLLA
f04/P25dEuz9tG851ZO7c7ZMkBamILUuvRWCUkQvPUCPzRZcXKQ6hVtWNLJ8x5gn
MA60q4JP1U1YYwxSzsEowbCRqRJR8RGHbKkd0l5/f/lZWMn5aPIv+ipWm0teKqb5
hRBhc3f54JnBv7HvTEyikqStPwfwidXImMieevVMRxO3WIOXHxw9bmZW/9iPd/Nk
YVcwuCoOZP2FsobpvUb0uj4deO7dsPuD2ha+qLzuRsN8X4vkz238egm8OUN/mkDK
OcWnvI+QlqEtEGcbH67TlrFcm7q4O9JkYMIsV1odLBiSJxyEv5cRi1w6ijmLaBDX
yiZtZjLbOwqE+fTYt3F8k4hVXWz2Os6dazy3xt/7JSJvEyyY76hyN41XMK9c6By8
ZYTc7EDVPpM8cuGkcM52E2HjUlB6/YPm+cI0qxQ9cVA6ZHEpvPvcwnQ1V0G3Cyd9
q1SUT1Y6DtYx/XtSnWIX77ReZyDyZWhSgoL2qkabdULte2kcppy7tF47KGeS4xh0
DLLiayi8wz/xKaG7oXOmOcdS+AtsVleBeMMiXefwP7iQ+KfcDnUm0OrVZlhwSqE4
Gv1UvVCdWc/hJqz6WnAGbp6NSQAY7Dre6rF/6OkCMR5QAVp0XgWPf/cnpG66NACa
I6qGTiuTWLlUxLIdaSCzK33G4jVsAC9Nghw7wxHUBsAoNnzbzH8HpIRZwo8gigE=
=G9ks
-----END PGP SIGNATURE-----

Message #82 received at 773085-close@bugs.debian.org (full text, mbox, reply):

From: Mike Gabriel <sunweaver@debian.org>

To: 773085-close@bugs.debian.org

Subject: Bug#773085: fixed in xdg-utils 1.0.2+cvs20100307-2+deb6u1

Date: Thu, 30 Apr 2015 22:00:13 +0000

Source: xdg-utils
Source-Version: 1.0.2+cvs20100307-2+deb6u1

We believe that the bug you reported is fixed in the latest version of
xdg-utils, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 773085@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Mike Gabriel <sunweaver@debian.org> (supplier of updated xdg-utils package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Wed, 22 Apr 2015 14:50:36 +0200
Source: xdg-utils
Binary: xdg-utils
Architecture: source all
Version: 1.0.2+cvs20100307-2+deb6u1
Distribution: squeeze-lts
Urgency: medium
Maintainer: Per Olofsson <pelle@debian.org>
Changed-By: Mike Gabriel <sunweaver@debian.org>
Description: 
 xdg-utils  - desktop integration utilities from freedesktop.org
Closes: 652067 654863 773085 777722
Changes: 
 xdg-utils (1.0.2+cvs20100307-2+deb6u1) squeeze-lts; urgency=medium
 .
   * Non-maintainer upload by Debian LTS Team.
   * debian/patches:
     + Add backport-jessie-open-generic-xdg-mime-function.diff.
       Backport open_generic(), open_generic_xdg_x_scheme_handler(),
       open_generic_xdg_file_mime() and open_generic_xdg_mime() functions
       from xdg-utils 1.1.0~rc1+git20111210-7.4 (as found in Debian 8.0).
       Closes: #777722, #773085, #654863, #652067.
       Fixes: CVE-2014-9622, CVE-2015-1877.
     + Drop run-mailcap-decode.diff. Included in patch file
       backport-jessie-open-generic-xdg-mime-function.diff.
Checksums-Sha1: 
 5e3e1576805653c7269e4d543acbac8273c73924 1978 xdg-utils_1.0.2+cvs20100307-2+deb6u1.dsc
 0471ebf04057e29febffcf7360b8577f42076c5b 7549 xdg-utils_1.0.2+cvs20100307-2+deb6u1.debian.tar.gz
 d2ccfb7d99798d85f74488479010a688e3c0a360 66262 xdg-utils_1.0.2+cvs20100307-2+deb6u1_all.deb
Checksums-Sha256: 
 79e8286e6a108e34da9902350cc8f77e031efae49ec91864baa954c356436e1d 1978 xdg-utils_1.0.2+cvs20100307-2+deb6u1.dsc
 75cd1351d814b9f2dbbd17c04c4626ebda0381e049f64606d85d301b6a3f0254 7549 xdg-utils_1.0.2+cvs20100307-2+deb6u1.debian.tar.gz
 3eeb1abbca1abf47b86764b2a4735a143517b5f4ca9804749b1a80cd85e96f07 66262 xdg-utils_1.0.2+cvs20100307-2+deb6u1_all.deb
Files: 
 9bead637cbc582a41097679f26ada163 1978 utils optional xdg-utils_1.0.2+cvs20100307-2+deb6u1.dsc
 a2d7682ffcda3d33c4a43f6fe99a5a12 7549 utils optional xdg-utils_1.0.2+cvs20100307-2+deb6u1.debian.tar.gz
 6ada59d429101b7c81c09c887667a96c 66262 utils optional xdg-utils_1.0.2+cvs20100307-2+deb6u1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJVQp9mAAoJEJr0azAldxsxDlkQALegltV0uAgmsE/a+t7DNSNG
WoPUV6O75shGWS8VOIZhLKFbarixaG1q+skC5p30gH4KEPBFDSrtUHO6IDQ88k7f
eVg+NbwlssuIN39dNh5NgbllM5P9YE6VC5hfORQ+6azb1B2siNbQd5jl53nR8dyk
Cw5bDeD36MBEjC8jEMxyCaFYf9sRGswucyLBfaqh4rhp0Ptb3/jDU/ZwvK3S0xQq
mOjBiG/4w1P33CqN/XV+nOVLzv0TGA96Q+oFcaQrNucxG/VJ2DJ3MXMb6vLphIot
5ZQAnnkPwgLsXkvURN34nNZjnAD/nJKgML3fA5HMALVFwR2D/La0ZW8Dc4Ky/OXm
wd8ZFc66I80ByM9GJX84w9XIhFZMck+n9fG7CXlGmTThyz6tCPcppOho+s0WzazW
/UEC8mbeM4fo/91GfmjYgYEsTdhG+6CM62ohS4IL082l/ckVebyRfIZ+a/aAUAcP
aDINkKt8IxZVpUZmWD8MNnSZxC+tl/SL/rTN0M7+OUfECmqY0cTOqmvyIkYWQoCz
9hFuuFODXKVcbtxw25aWzxvPFJnLU1e3lkkvyoMyqJuXWb/ka+eMYKnaqu6hmiG0
LS9OKefqN4lClU5HTjEd30gcYzEB8++hyK+IfPic622wrD6kc4EpNYzDxGqh/nJi
KZM/chte9P3IGVRcG/RE
=N3GX
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.