Debian Bug report logs -
#1013129
exo: CVE-2022-32278
Reported by: Moritz Mühlenhoff <jmm@inutil.org>
Date: Fri, 17 Jun 2022 15:12:02 UTC
Severity: grave
Tags: security, upstream
Found in version exo/4.16.3-1
Fixed in version exo/4.16.4-1
Done: Yves-Alexis Perez <corsac@debian.org>
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, Debian Xfce Maintainers <debian-xfce@lists.debian.org>:
Bug#1013129; Package src:exo.
(Fri, 17 Jun 2022 15:12:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Mühlenhoff <jmm@inutil.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, Debian Xfce Maintainers <debian-xfce@lists.debian.org>.
(Fri, 17 Jun 2022 15:12:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: exo
X-Debbugs-CC: team@security.debian.org
Severity: grave
Tags: security
Hi,
The following vulnerability was published for exo.
CVE-2022-32278[0]:
| XFCE 4.16 allows attackers to execute arbitrary code because xdg-open
| can execute a .desktop file on an attacker-controlled FTP server.
https://gitlab.xfce.org/xfce/exo/-/commit/c71c04ff5882b2866a0d8506fb460d4ef796de9f
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2022-32278
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-32278
Please adjust the affected versions in the BTS as needed.
Added tag(s) upstream.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Fri, 17 Jun 2022 19:57:06 GMT) (full text, mbox, link).
Marked as found in versions exo/4.16.3-1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Fri, 17 Jun 2022 19:57:07 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Xfce Maintainers <debian-xfce@lists.debian.org>:
Bug#1013129; Package src:exo.
(Sat, 18 Jun 2022 11:51:02 GMT) (full text, mbox, link).
Acknowledgement sent
to Yves-Alexis Perez <corsac@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Xfce Maintainers <debian-xfce@lists.debian.org>.
(Sat, 18 Jun 2022 11:51:02 GMT) (full text, mbox, link).
Message #14 received at 1013129@bugs.debian.org (full text, mbox, reply):
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
On Fri, 2022-06-17 at 17:08 +0200, Moritz Mühlenhoff wrote:
> The following vulnerability was published for exo.
>
> CVE-2022-32278[0]:
> > XFCE 4.16 allows attackers to execute arbitrary code because xdg-open
> > can execute a .desktop file on an attacker-controlled FTP server.
>
> https://gitlab.xfce.org/xfce/exo/-/commit/c71c04ff5882b2866a0d8506fb460d4ef796de9f
>
> If you fix the vulnerability please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
>
> For further information see:
>
> [0] https://security-tracker.debian.org/tracker/CVE-2022-32278
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-32278
>
> Please adjust the affected versions in the BTS as needed.
Hi Moritz thanks for the heads-up, I'll take care of the upload to sid and
stable-security.
Regards,
- --
Yves-Alexis
-----BEGIN PGP SIGNATURE-----
iQEzBAEBCAAdFiEE8vi34Qgfo83x35gF3rYcyPpXRFsFAmKtu9kACgkQ3rYcyPpX
RFsDjQf+NFhYi6pCz7G+2Ce9Byhpoi94b0CN8t2+4ILY2/NJq8wOv6IRgy4TrYz/
tvff1vCiK+OwnSymWnIiUNuslhqZxvJjTGuD1ZvgTd6UCxUhH1nEoE2mjR/LOnIL
UePIkyJ3aWAZV1mr/Ez+f+YCZfuxuJKFIhjwX28p6qDvwK+F3oNUdlLJf670v8nz
jROrgnIOZ2tVw6+Z3+Bd67VcW9zoHN87/hWIxxM7Hs6qrROGd27YauxTiXHdcDRQ
3fNicUiEB0E8FPhvJ5Dq+iXhHnqef7/WlKp15ci69dDv1RcBBfP1VsAh9OZn5tPE
6nGqseCIwTcPb6ACU1rIJuPoqkxv0w==
=552N
-----END PGP SIGNATURE-----
Reply sent
to Yves-Alexis Perez <corsac@debian.org>:
You have taken responsibility.
(Sat, 18 Jun 2022 12:06:08 GMT) (full text, mbox, link).
Notification sent
to Moritz Mühlenhoff <jmm@inutil.org>:
Bug acknowledged by developer.
(Sat, 18 Jun 2022 12:06:08 GMT) (full text, mbox, link).
Message #19 received at 1013129-close@bugs.debian.org (full text, mbox, reply):
Source: exo
Source-Version: 4.16.4-1
Done: Yves-Alexis Perez <corsac@debian.org>
We believe that the bug you reported is fixed in the latest version of
exo, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1013129@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Yves-Alexis Perez <corsac@debian.org> (supplier of updated exo package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sat, 18 Jun 2022 13:49:57 +0200
Source: exo
Architecture: source
Version: 4.16.4-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Xfce Maintainers <debian-xfce@lists.debian.org>
Changed-By: Yves-Alexis Perez <corsac@debian.org>
Closes: 1013129
Changes:
exo (4.16.4-1) unstable; urgency=medium
.
* New upstream version 4.16.4
- Fix CVE-2022-32278, exo allows executing .desktop files with remote URI
scheme. (Closes: #1013129)
Checksums-Sha1:
60432311f45995469c6b6af91f4d7c85e23b0788 1852 exo_4.16.4-1.dsc
228ebd069482b5f57ed421d5edfc05434c68fbb4 876080 exo_4.16.4.orig.tar.bz2
ac4b241b15fe467a14f6067ac69d314a26604411 13008 exo_4.16.4-1.debian.tar.xz
6ce8b7dee10fd9d1b282659f98f84a4abfcfe0ff 16416 exo_4.16.4-1_amd64.buildinfo
Checksums-Sha256:
f3c876b48239fb2117c8c9cc68f99e15731476dc5589de1e5410feffc5b2685f 1852 exo_4.16.4-1.dsc
82a50c67e78f1e5c420b7615515bcca759b86eeab99224ab8eca4306b89d2eca 876080 exo_4.16.4.orig.tar.bz2
2f03444b14984cc82803b9a35abb05b8318c416b7654068480560588e04dc423 13008 exo_4.16.4-1.debian.tar.xz
129938462d5c483eb18c4831caab25939a563f5a13d16da8e9828dca0b76161f 16416 exo_4.16.4-1_amd64.buildinfo
Files:
0a3e3680a4a609fe8b6379c46763e691 1852 xfce optional exo_4.16.4-1.dsc
f85fe6ad7fbd989c622f4d4ebef86881 876080 xfce optional exo_4.16.4.orig.tar.bz2
4fe97ce8597cd0bb6830a917302c791e 13008 xfce optional exo_4.16.4-1.debian.tar.xz
dcaa620c057f8e98f019bc73a8ac327c 16416 xfce optional exo_4.16.4-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQEzBAEBCgAdFiEE8vi34Qgfo83x35gF3rYcyPpXRFsFAmKtvqUACgkQ3rYcyPpX
RFsMQAgA3gCue5pJodrz1UCqRz0YR/7NYDGB8FjAI36nnfBcbiodDk5bIDe69ueZ
gYXHTmT3hthCtm2jPAJ8aQNqbrHr+EdSos/JHj4597SFnI45XCltGHF51PKzTdjE
7MJ+4tznQa9RagVNcfFC3mdJ9KZwihum0KyKx/Bcj8p9/Kws2qAaeRZ9ai5bKiJf
wXPVtoZ3JJoSsx8iWBYIrhKknwH1kdbOYB9195fii2rYRm/uIkSApNN7L2oS9qj1
6+OFTRuX8Iy7+76PvSEcJrPyLsnDcIbIJCDL5Y3B9IdOPb2GwxMKoLuWwKA+QDiX
7zqZ7hcrRoDd/L3dDl9FisAUnP9ayA==
=l55X
-----END PGP SIGNATURE-----
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Sat Jun 18 13:14:11 2022;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon