CVE-2007-3770: execute arbitrary commands via crafted links using "Open Link" functionality

Debian Bug report logs - #437454
CVE-2007-3770: execute arbitrary commands via crafted links using "Open Link" functionality

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Darren Salt <linux@youmustbejoking.demon.co.uk>

To: submit@bugs.debian.org

Subject: CVE-2007-3770: execute arbitrary commands via crafted links using "Open Link" functionality

Date: Sun, 12 Aug 2007 16:58:37 +0100

[Message part 1 (text/plain, inline)]

Package: xfce4-terminal
Version: 0.2.5.6rc1-2
Severity: grave
Tags: security, patch

CVE-2007-3770 says:
  The terminal_helper_execute function in terminal/terminal.c in Xfce
  Terminal 0.2.6 allows user-assisted remote attackers to execute arbitrary
  commands via shell metacharacters in a crafted link, as demonstrated using
  the "Open Link" functionality.

Upstream link: http://bugzilla.xfce.org/show_bug.cgi?id=3383

The attached patch fixes this: the code changes add shell quoting, using
g_shell_quote(), and the *.desktop.in files are modified to avoid
over-quoting (without this, we'd get "'foo'" instead of 'foo').

-- 
| Darren Salt    | linux or ds at              | nr. Ashington, | Toon
| RISC OS, Linux | youmustbejoking,demon,co,uk | Northumberland | Army
| + Use more efficient products. Use less.          BE MORE ENERGY EFFICIENT.

Confucius say: He who post large binary, get flamed.

[01_CVE-2007-3770.patch (application/octet-stream, attachment)]

Message #10 received at 437454-close@bugs.debian.org (full text, mbox, reply):

From: Yves-Alexis Perez <corsac@corsac.net>

To: 437454-close@bugs.debian.org

Subject: Bug#437454: fixed in xfce4-terminal 0.2.6-3

Date: Sun, 12 Aug 2007 17:47:15 +0000

Source: xfce4-terminal
Source-Version: 0.2.6-3

We believe that the bug you reported is fixed in the latest version of
xfce4-terminal, which is due to be installed in the Debian FTP archive:

xfce4-terminal_0.2.6-3.diff.gz
  to pool/main/x/xfce4-terminal/xfce4-terminal_0.2.6-3.diff.gz
xfce4-terminal_0.2.6-3.dsc
  to pool/main/x/xfce4-terminal/xfce4-terminal_0.2.6-3.dsc
xfce4-terminal_0.2.6-3_amd64.deb
  to pool/main/x/xfce4-terminal/xfce4-terminal_0.2.6-3_amd64.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 437454@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Yves-Alexis Perez <corsac@corsac.net> (supplier of updated xfce4-terminal package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Sun, 12 Aug 2007 18:00:09 +0100
Source: xfce4-terminal
Binary: xfce4-terminal
Architecture: source amd64
Version: 0.2.6-3
Distribution: unstable
Urgency: high
Maintainer: Debian Xfce Maintainers <pkg-xfce-devel@lists.alioth.debian.org>
Changed-By: Yves-Alexis Perez <corsac@corsac.net>
Description: 
 xfce4-terminal - Xfce terminal emulator
Closes: 437454
Changes: 
 xfce4-terminal (0.2.6-3) unstable; urgency=high
 .
   (Yves-Alexis Perez)
   * debian/menu: switch to new menu policy.
   (Simon Huggins)
   * Fix security problem in URL handling code (CVE-2007-3770) thanks to Darren
     Salt                                                        closes: #437454
   * urgency high for the above.
Files: 
 d8960cd5fd13c5af5debbf92f0bd2af6 941 x11 optional xfce4-terminal_0.2.6-3.dsc
 273f5f7976d025dc3f6789894c5a2bbe 14496 x11 optional xfce4-terminal_0.2.6-3.diff.gz
 e4a1af5d70c5540d885e5f2cfebffb91 1266598 x11 optional xfce4-terminal_0.2.6-3_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFGv0OyMQdl+99c4rQRAn+aAJ9eao9E1SozSoc2NA1Sg+VIm3Y8JQCdGyZ0
HNcqrQMEYBoIbG20kQftPWU=
=GZei
-----END PGP SIGNATURE-----

Message #15 received at 437454@bugs.debian.org (full text, mbox, reply):

From: Tino Keitel <tino.keitel@tikei.de>

To: 437454@bugs.debian.org

Subject: fix for Etch still missing

Date: Fri, 24 Aug 2007 17:19:08 +0200

Hi,

what is the status of this bug regarding Etch? The Etch version is
affected, too, and the fix should also apply to the Etch version.

Regards,
Tino

Message #20 received at 437454@bugs.debian.org (full text, mbox, reply):

From: Simon Huggins <huggie@earth.li>

To: Tino Keitel <tino.keitel@tikei.de>, 437454@bugs.debian.org

Subject: Re: [Pkg-xfce-devel] Bug#437454: fix for Etch still missing

Date: Fri, 24 Aug 2007 17:11:04 +0100

[Message part 1 (text/plain, inline)]

On Fri, Aug 24, 2007 at 05:19:08PM +0200, Tino Keitel wrote:
> what is the status of this bug regarding Etch? The Etch version is
> affected, too, and the fix should also apply to the Etch version.

I have untested packages for stable at:
http://the.earth.li/~huggie/xfce4-terminal-fix/

If you have an amd64 box you can just install the deb.  Otherwise if you
rebuild it from that .dsc/.diff.gz/.orig.tar.gz on your machine and can
let me know that you can reproduce the bug on the old one but not the
new that would be useful.

I need to test it myself tonight.

-- 
 _        huggie@earth.li      -+*+-     fou, con et anglais      _
(_)   "No, the radio works.  You don't" - Basil, Fawlty Towers   (_)
(_)                                                              (_)
  \___                                                        ___/

[signature.asc (application/pgp-signature, inline)]

Message #25 received at 437454@bugs.debian.org (full text, mbox, reply):

From: Tino Keitel <tino.keitel@tikei.de>

To: 437454@bugs.debian.org

Subject: Re: [Pkg-xfce-devel] Bug#437454: fix for Etch still missing

Date: Fri, 24 Aug 2007 20:10:38 +0200

On Fri, Aug 24, 2007 at 17:11:04 +0100, Simon Huggins wrote:
> On Fri, Aug 24, 2007 at 05:19:08PM +0200, Tino Keitel wrote:
> > what is the status of this bug regarding Etch? The Etch version is
> > affected, too, and the fix should also apply to the Etch version.
> 
> I have untested packages for stable at:
> http://the.earth.li/~huggie/xfce4-terminal-fix/
> 
> If you have an amd64 box you can just install the deb.  Otherwise if you
> rebuild it from that .dsc/.diff.gz/.orig.tar.gz on your machine and can
> let me know that you can reproduce the bug on the old one but not the
> new that would be useful.
> 
> I need to test it myself tonight.

I can build it myself if I need them, but I don't use xfce4-terminal
from Etch. I just wondered why a security related bug that is fixed for
nearly 2 weeks in Sid is still not fixed in Etch.

Regards,
Tino

Message #30 received at 437454@bugs.debian.org (full text, mbox, reply):

From: Simon Huggins <huggie@earth.li>

To: Tino Keitel <tino.keitel@tikei.de>, 437454@bugs.debian.org

Cc: team@security.debian.org

Subject: Re: [Pkg-xfce-devel] Bug#437454: Bug#437454: fix for Etch still missing

Date: Fri, 24 Aug 2007 19:28:28 +0100

On Fri, Aug 24, 2007 at 08:10:38PM +0200, Tino Keitel wrote:
> On Fri, Aug 24, 2007 at 17:11:04 +0100, Simon Huggins wrote:
> > On Fri, Aug 24, 2007 at 05:19:08PM +0200, Tino Keitel wrote:
> > > what is the status of this bug regarding Etch? The Etch version is
> > > affected, too, and the fix should also apply to the Etch version.
> > I have untested packages for stable at:
> > http://the.earth.li/~huggie/xfce4-terminal-fix/
> > If you have an amd64 box you can just install the deb.  Otherwise if you
> > rebuild it from that .dsc/.diff.gz/.orig.tar.gz on your machine and can
> > let me know that you can reproduce the bug on the old one but not the
> > new that would be useful.
> > I need to test it myself tonight.
> I can build it myself if I need them, but I don't use xfce4-terminal
> from Etch. I just wondered why a security related bug that is fixed for
> nearly 2 weeks in Sid is still not fixed in Etch.

Because no one has picked this up and looked into it I guess.

I've tested the packages above in a stable chroot now.

Debdiff is:
	Depends: libatk1.0-0 (>= 1.12.2), libc6 (>= 2.3.5-1),
	[-libdbus-1-3,-] {+libdbus-1-3 (>= 0.94),+}

	libdbus-1-3 is 1.0.2-1 in stable.

	libdbus-glib-1-2 (>= 0.71),
	libexo-0.3-0 (>= [-0.3.1.10rc1-1),-] {+0.3.1.12rc2-1),+}

	0.3.1.12rc2-1 is current in stable.

	libglib2.0-0 (>= 2.12.0), libgtk2.0-0 (>= 2.8.0),
	libstartup-notification0 (>= 0.8-1), libvte4 (>= 1:0.12.1),
	libx11-6, libxfce4util4 (>= [-4.3.99.1)-] {+4.3.99.2)+}

	4.3.99.2 is in stable.

	Version: [-0.2.5.6rc1-2-] {+0.2.5.6rc1-2etch4+}


Security team, the packages above from
http://the.earth.li/~huggie/xfce4-terminal-fix/
are confirmed working and hopefully have the right distribution
(stable-security) and priority (high).

Can I upload them somewhere?

-- 
 _        huggie@earth.li      -+*+-     fou, con et anglais      _
(_)  <benj[w0rK]> naoko: ca marche parfaitement ... quand on a   (_)
(_)                  une carte QUI FONCTIONNE !                  (_)
  \___            <benj[w0rK]> alors camembert :)             ___/

Message #35 received at 437454@bugs.debian.org (full text, mbox, reply):

From: Simon Huggins <huggie@earth.li>

To: 437454@bugs.debian.org, team@security.debian.org

Subject: Re: [Pkg-xfce-devel] Bug#437454: Bug#437454: Bug#437454: fix for Etch still missing

Date: Wed, 10 Oct 2007 07:48:09 +0100

Security team, any news?

On Fri, Aug 24, 2007 at 07:28:28PM +0100, Simon Huggins wrote:
> On Fri, Aug 24, 2007 at 08:10:38PM +0200, Tino Keitel wrote:
> > On Fri, Aug 24, 2007 at 17:11:04 +0100, Simon Huggins wrote:
> > > On Fri, Aug 24, 2007 at 05:19:08PM +0200, Tino Keitel wrote:
> > > > what is the status of this bug regarding Etch? The Etch version is
> > > > affected, too, and the fix should also apply to the Etch version.
> > > I have untested packages for stable at:
> > > http://the.earth.li/~huggie/xfce4-terminal-fix/
> > > If you have an amd64 box you can just install the deb.  Otherwise if you
> > > rebuild it from that .dsc/.diff.gz/.orig.tar.gz on your machine and can
> > > let me know that you can reproduce the bug on the old one but not the
> > > new that would be useful.
> > > I need to test it myself tonight.
> > I can build it myself if I need them, but I don't use xfce4-terminal
> > from Etch. I just wondered why a security related bug that is fixed for
> > nearly 2 weeks in Sid is still not fixed in Etch.
> Because no one has picked this up and looked into it I guess.

> I've tested the packages above in a stable chroot now.

> Debdiff is:
> 	Depends: libatk1.0-0 (>= 1.12.2), libc6 (>= 2.3.5-1),
> 	[-libdbus-1-3,-] {+libdbus-1-3 (>= 0.94),+}

> 	libdbus-1-3 is 1.0.2-1 in stable.

> 	libdbus-glib-1-2 (>= 0.71),
> 	libexo-0.3-0 (>= [-0.3.1.10rc1-1),-] {+0.3.1.12rc2-1),+}

> 	0.3.1.12rc2-1 is current in stable.

> 	libglib2.0-0 (>= 2.12.0), libgtk2.0-0 (>= 2.8.0),
> 	libstartup-notification0 (>= 0.8-1), libvte4 (>= 1:0.12.1),
> 	libx11-6, libxfce4util4 (>= [-4.3.99.1)-] {+4.3.99.2)+}

> 	4.3.99.2 is in stable.

> 	Version: [-0.2.5.6rc1-2-] {+0.2.5.6rc1-2etch4+}

> Security team, the packages above from
> http://the.earth.li/~huggie/xfce4-terminal-fix/
> are confirmed working and hopefully have the right distribution
> (stable-security) and priority (high).

> Can I upload them somewhere?


Simon.

-- 
[ If at first you don't succeed, destroy all evidence that you tried.  ]

Send a report that this bug log contains spam.