Debian Bug report logs -
#437454
CVE-2007-3770: execute arbitrary commands via crafted links using "Open Link" functionality
Reported by: Darren Salt <linux@youmustbejoking.demon.co.uk>
Date: Sun, 12 Aug 2007 16:36:04 UTC
Severity: grave
Tags: patch, security
Found in version xfce4-terminal/0.2.5.6rc1-2
Fixed in versions xfce4-terminal/0.2.6-3, xfce4-terminal/0.2.5.6rc1-2etch4
Done: Yves-Alexis Perez <corsac@corsac.net>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded to debian-bugs-dist@lists.debian.org, team@security.debian.org, Debian Xfce Maintainers <pkg-xfce-devel@lists.alioth.debian.org>
:
Bug#437454
; Package xfce4-terminal
.
(full text, mbox, link).
Acknowledgement sent to Darren Salt <linux@youmustbejoking.demon.co.uk>
:
New Bug report received and forwarded. Copy sent to team@security.debian.org, Debian Xfce Maintainers <pkg-xfce-devel@lists.alioth.debian.org>
.
(full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Package: xfce4-terminal
Version: 0.2.5.6rc1-2
Severity: grave
Tags: security, patch
CVE-2007-3770 says:
The terminal_helper_execute function in terminal/terminal.c in Xfce
Terminal 0.2.6 allows user-assisted remote attackers to execute arbitrary
commands via shell metacharacters in a crafted link, as demonstrated using
the "Open Link" functionality.
Upstream link: http://bugzilla.xfce.org/show_bug.cgi?id=3383
The attached patch fixes this: the code changes add shell quoting, using
g_shell_quote(), and the *.desktop.in files are modified to avoid
over-quoting (without this, we'd get "'foo'" instead of 'foo').
--
| Darren Salt | linux or ds at | nr. Ashington, | Toon
| RISC OS, Linux | youmustbejoking,demon,co,uk | Northumberland | Army
| + Use more efficient products. Use less. BE MORE ENERGY EFFICIENT.
Confucius say: He who post large binary, get flamed.
[01_CVE-2007-3770.patch (application/octet-stream, attachment)]
Reply sent to Yves-Alexis Perez <corsac@corsac.net>
:
You have taken responsibility.
(full text, mbox, link).
Notification sent to Darren Salt <linux@youmustbejoking.demon.co.uk>
:
Bug acknowledged by developer.
(full text, mbox, link).
Message #10 received at 437454-close@bugs.debian.org (full text, mbox, reply):
Source: xfce4-terminal
Source-Version: 0.2.6-3
We believe that the bug you reported is fixed in the latest version of
xfce4-terminal, which is due to be installed in the Debian FTP archive:
xfce4-terminal_0.2.6-3.diff.gz
to pool/main/x/xfce4-terminal/xfce4-terminal_0.2.6-3.diff.gz
xfce4-terminal_0.2.6-3.dsc
to pool/main/x/xfce4-terminal/xfce4-terminal_0.2.6-3.dsc
xfce4-terminal_0.2.6-3_amd64.deb
to pool/main/x/xfce4-terminal/xfce4-terminal_0.2.6-3_amd64.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 437454@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Yves-Alexis Perez <corsac@corsac.net> (supplier of updated xfce4-terminal package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Sun, 12 Aug 2007 18:00:09 +0100
Source: xfce4-terminal
Binary: xfce4-terminal
Architecture: source amd64
Version: 0.2.6-3
Distribution: unstable
Urgency: high
Maintainer: Debian Xfce Maintainers <pkg-xfce-devel@lists.alioth.debian.org>
Changed-By: Yves-Alexis Perez <corsac@corsac.net>
Description:
xfce4-terminal - Xfce terminal emulator
Closes: 437454
Changes:
xfce4-terminal (0.2.6-3) unstable; urgency=high
.
(Yves-Alexis Perez)
* debian/menu: switch to new menu policy.
(Simon Huggins)
* Fix security problem in URL handling code (CVE-2007-3770) thanks to Darren
Salt closes: #437454
* urgency high for the above.
Files:
d8960cd5fd13c5af5debbf92f0bd2af6 941 x11 optional xfce4-terminal_0.2.6-3.dsc
273f5f7976d025dc3f6789894c5a2bbe 14496 x11 optional xfce4-terminal_0.2.6-3.diff.gz
e4a1af5d70c5540d885e5f2cfebffb91 1266598 x11 optional xfce4-terminal_0.2.6-3_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iD8DBQFGv0OyMQdl+99c4rQRAn+aAJ9eao9E1SozSoc2NA1Sg+VIm3Y8JQCdGyZ0
HNcqrQMEYBoIbG20kQftPWU=
=GZei
-----END PGP SIGNATURE-----
Information forwarded to debian-bugs-dist@lists.debian.org, Debian Xfce Maintainers <pkg-xfce-devel@lists.alioth.debian.org>
:
Bug#437454
; Package xfce4-terminal
.
(full text, mbox, link).
Acknowledgement sent to Tino Keitel <tino.keitel@tikei.de>
:
Extra info received and forwarded to list. Copy sent to Debian Xfce Maintainers <pkg-xfce-devel@lists.alioth.debian.org>
.
(full text, mbox, link).
Message #15 received at 437454@bugs.debian.org (full text, mbox, reply):
Hi,
what is the status of this bug regarding Etch? The Etch version is
affected, too, and the fix should also apply to the Etch version.
Regards,
Tino
Information forwarded to debian-bugs-dist@lists.debian.org, Debian Xfce Maintainers <pkg-xfce-devel@lists.alioth.debian.org>
:
Bug#437454
; Package xfce4-terminal
.
(full text, mbox, link).
Acknowledgement sent to 437454@bugs.debian.org
:
Extra info received and forwarded to list. Copy sent to Debian Xfce Maintainers <pkg-xfce-devel@lists.alioth.debian.org>
.
(full text, mbox, link).
Message #20 received at 437454@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
On Fri, Aug 24, 2007 at 05:19:08PM +0200, Tino Keitel wrote:
> what is the status of this bug regarding Etch? The Etch version is
> affected, too, and the fix should also apply to the Etch version.
I have untested packages for stable at:
http://the.earth.li/~huggie/xfce4-terminal-fix/
If you have an amd64 box you can just install the deb. Otherwise if you
rebuild it from that .dsc/.diff.gz/.orig.tar.gz on your machine and can
let me know that you can reproduce the bug on the old one but not the
new that would be useful.
I need to test it myself tonight.
--
_ huggie@earth.li -+*+- fou, con et anglais _
(_) "No, the radio works. You don't" - Basil, Fawlty Towers (_)
(_) (_)
\___ ___/
[signature.asc (application/pgp-signature, inline)]
Information forwarded to debian-bugs-dist@lists.debian.org, Debian Xfce Maintainers <pkg-xfce-devel@lists.alioth.debian.org>
:
Bug#437454
; Package xfce4-terminal
.
(full text, mbox, link).
Acknowledgement sent to Tino Keitel <tino.keitel@tikei.de>
:
Extra info received and forwarded to list. Copy sent to Debian Xfce Maintainers <pkg-xfce-devel@lists.alioth.debian.org>
.
(full text, mbox, link).
Message #25 received at 437454@bugs.debian.org (full text, mbox, reply):
On Fri, Aug 24, 2007 at 17:11:04 +0100, Simon Huggins wrote:
> On Fri, Aug 24, 2007 at 05:19:08PM +0200, Tino Keitel wrote:
> > what is the status of this bug regarding Etch? The Etch version is
> > affected, too, and the fix should also apply to the Etch version.
>
> I have untested packages for stable at:
> http://the.earth.li/~huggie/xfce4-terminal-fix/
>
> If you have an amd64 box you can just install the deb. Otherwise if you
> rebuild it from that .dsc/.diff.gz/.orig.tar.gz on your machine and can
> let me know that you can reproduce the bug on the old one but not the
> new that would be useful.
>
> I need to test it myself tonight.
I can build it myself if I need them, but I don't use xfce4-terminal
from Etch. I just wondered why a security related bug that is fixed for
nearly 2 weeks in Sid is still not fixed in Etch.
Regards,
Tino
Information forwarded to debian-bugs-dist@lists.debian.org, Debian Xfce Maintainers <pkg-xfce-devel@lists.alioth.debian.org>
:
Bug#437454
; Package xfce4-terminal
.
(full text, mbox, link).
Acknowledgement sent to 437454@bugs.debian.org
:
Extra info received and forwarded to list. Copy sent to Debian Xfce Maintainers <pkg-xfce-devel@lists.alioth.debian.org>
.
(full text, mbox, link).
Message #30 received at 437454@bugs.debian.org (full text, mbox, reply):
On Fri, Aug 24, 2007 at 08:10:38PM +0200, Tino Keitel wrote:
> On Fri, Aug 24, 2007 at 17:11:04 +0100, Simon Huggins wrote:
> > On Fri, Aug 24, 2007 at 05:19:08PM +0200, Tino Keitel wrote:
> > > what is the status of this bug regarding Etch? The Etch version is
> > > affected, too, and the fix should also apply to the Etch version.
> > I have untested packages for stable at:
> > http://the.earth.li/~huggie/xfce4-terminal-fix/
> > If you have an amd64 box you can just install the deb. Otherwise if you
> > rebuild it from that .dsc/.diff.gz/.orig.tar.gz on your machine and can
> > let me know that you can reproduce the bug on the old one but not the
> > new that would be useful.
> > I need to test it myself tonight.
> I can build it myself if I need them, but I don't use xfce4-terminal
> from Etch. I just wondered why a security related bug that is fixed for
> nearly 2 weeks in Sid is still not fixed in Etch.
Because no one has picked this up and looked into it I guess.
I've tested the packages above in a stable chroot now.
Debdiff is:
Depends: libatk1.0-0 (>= 1.12.2), libc6 (>= 2.3.5-1),
[-libdbus-1-3,-] {+libdbus-1-3 (>= 0.94),+}
libdbus-1-3 is 1.0.2-1 in stable.
libdbus-glib-1-2 (>= 0.71),
libexo-0.3-0 (>= [-0.3.1.10rc1-1),-] {+0.3.1.12rc2-1),+}
0.3.1.12rc2-1 is current in stable.
libglib2.0-0 (>= 2.12.0), libgtk2.0-0 (>= 2.8.0),
libstartup-notification0 (>= 0.8-1), libvte4 (>= 1:0.12.1),
libx11-6, libxfce4util4 (>= [-4.3.99.1)-] {+4.3.99.2)+}
4.3.99.2 is in stable.
Version: [-0.2.5.6rc1-2-] {+0.2.5.6rc1-2etch4+}
Security team, the packages above from
http://the.earth.li/~huggie/xfce4-terminal-fix/
are confirmed working and hopefully have the right distribution
(stable-security) and priority (high).
Can I upload them somewhere?
--
_ huggie@earth.li -+*+- fou, con et anglais _
(_) <benj[w0rK]> naoko: ca marche parfaitement ... quand on a (_)
(_) une carte QUI FONCTIONNE ! (_)
\___ <benj[w0rK]> alors camembert :) ___/
Information forwarded to debian-bugs-dist@lists.debian.org, Debian Xfce Maintainers <pkg-xfce-devel@lists.alioth.debian.org>
:
Bug#437454
; Package xfce4-terminal
.
(full text, mbox, link).
Acknowledgement sent to Simon Huggins <huggie@earth.li>
:
Extra info received and forwarded to list. Copy sent to Debian Xfce Maintainers <pkg-xfce-devel@lists.alioth.debian.org>
.
(full text, mbox, link).
Message #35 received at 437454@bugs.debian.org (full text, mbox, reply):
Security team, any news?
On Fri, Aug 24, 2007 at 07:28:28PM +0100, Simon Huggins wrote:
> On Fri, Aug 24, 2007 at 08:10:38PM +0200, Tino Keitel wrote:
> > On Fri, Aug 24, 2007 at 17:11:04 +0100, Simon Huggins wrote:
> > > On Fri, Aug 24, 2007 at 05:19:08PM +0200, Tino Keitel wrote:
> > > > what is the status of this bug regarding Etch? The Etch version is
> > > > affected, too, and the fix should also apply to the Etch version.
> > > I have untested packages for stable at:
> > > http://the.earth.li/~huggie/xfce4-terminal-fix/
> > > If you have an amd64 box you can just install the deb. Otherwise if you
> > > rebuild it from that .dsc/.diff.gz/.orig.tar.gz on your machine and can
> > > let me know that you can reproduce the bug on the old one but not the
> > > new that would be useful.
> > > I need to test it myself tonight.
> > I can build it myself if I need them, but I don't use xfce4-terminal
> > from Etch. I just wondered why a security related bug that is fixed for
> > nearly 2 weeks in Sid is still not fixed in Etch.
> Because no one has picked this up and looked into it I guess.
> I've tested the packages above in a stable chroot now.
> Debdiff is:
> Depends: libatk1.0-0 (>= 1.12.2), libc6 (>= 2.3.5-1),
> [-libdbus-1-3,-] {+libdbus-1-3 (>= 0.94),+}
> libdbus-1-3 is 1.0.2-1 in stable.
> libdbus-glib-1-2 (>= 0.71),
> libexo-0.3-0 (>= [-0.3.1.10rc1-1),-] {+0.3.1.12rc2-1),+}
> 0.3.1.12rc2-1 is current in stable.
> libglib2.0-0 (>= 2.12.0), libgtk2.0-0 (>= 2.8.0),
> libstartup-notification0 (>= 0.8-1), libvte4 (>= 1:0.12.1),
> libx11-6, libxfce4util4 (>= [-4.3.99.1)-] {+4.3.99.2)+}
> 4.3.99.2 is in stable.
> Version: [-0.2.5.6rc1-2-] {+0.2.5.6rc1-2etch4+}
> Security team, the packages above from
> http://the.earth.li/~huggie/xfce4-terminal-fix/
> are confirmed working and hopefully have the right distribution
> (stable-security) and priority (high).
> Can I upload them somewhere?
Simon.
--
[ If at first you don't succeed, destroy all evidence that you tried. ]
Bug marked as fixed in version 0.2.5.6rc1-2etch4.
Request was from zobel@ftbfs.de (Martin Zobel-Helas)
to control@bugs.debian.org
.
(Thu, 24 Jan 2008 15:42:03 GMT) (full text, mbox, link).
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org
.
(Fri, 22 Feb 2008 07:33:58 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 18:08:59 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.