abiword: CVE-2017-17529

Debian Bug report logs - #884923
abiword: CVE-2017-17529

Reply or subscribe to this bug.

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: abiword: CVE-2017-17529

Date: Thu, 21 Dec 2017 13:55:30 +0100

Source: abiword
Version: 3.0.2-5
Severity: normal
Tags: security upstream

Hi,

the following vulnerability was published for abiword.

CVE-2017-17529[0]:
| af/util/xp/ut_go_file.cpp in AbiWord 3.0.2-2 does not validate strings
| before launching the program specified by the BROWSER environment
| variable, which might allow remote attackers to conduct
| argument-injection attacks via a crafted URL.

Might be possible to just compile with --with-gnomevfs and not use the
problematic function.

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2017-17529
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17529

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

Message #10 received at 884923-close@bugs.debian.org (full text, mbox, reply):

From: Simon Quigley <tsimonq2@ubuntu.com>

To: 884923-close@bugs.debian.org

Subject: Bug#884923: fixed in abiword 3.0.2-6

Date: Sun, 11 Mar 2018 11:19:15 +0000

Source: abiword
Source-Version: 3.0.2-6

We believe that the bug you reported is fixed in the latest version of
abiword, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 884923@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Simon Quigley <tsimonq2@ubuntu.com> (supplier of updated abiword package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sun, 11 Mar 2018 04:41:01 -0500
Source: abiword
Binary: abiword-common abiword abiword-plugin-grammar libabiword-3.0 libabiword-dev gir1.2-abi-3.0
Architecture: source
Version: 3.0.2-6
Distribution: unstable
Urgency: medium
Maintainer: Debian QA Group <packages@qa.debian.org>
Changed-By: Simon Quigley <tsimonq2@ubuntu.com>
Description:
 abiword    - efficient, featureful word processor with collaboration
 abiword-common - efficient, featureful word processor with collaboration -- common
 abiword-plugin-grammar - grammar checking plugin for AbiWord
 gir1.2-abi-3.0 - GObject introspection data for libabiword
 libabiword-3.0 - efficient, featureful word processor with collaboration -- shared
 libabiword-dev - efficient, featureful word processor with collaboration -- develo
Closes: 884923
Changes:
 abiword (3.0.2-6) unstable; urgency=medium
 .
   * QA upload.
   * Compile with --with-gnomevfs to fix CVE-2017-17529
     (Closes: #884923).
   * Bump to debhelper compat 11, no changes needed.
   * Bump Standards-version to 4.1.3, no changes needed.
   * Update Vcs-* to reflect the move to Salsa.
Checksums-Sha1:
 7e4083a93218c3ca73e7e1607cdcaa3004eb56e9 2946 abiword_3.0.2-6.dsc
 194d68df68e309916fab96634c42e31915f01009 48948 abiword_3.0.2-6.debian.tar.xz
Checksums-Sha256:
 f39ff3f64c418ee94757b1379480330b829590d458dfeba7f76813eac6517045 2946 abiword_3.0.2-6.dsc
 7bc2d5887e5dadf11676d177240c9903dab747aadf37621ea6b67befae75e77d 48948 abiword_3.0.2-6.debian.tar.xz
Files:
 58e09d58d9ca38cd89fe54cdd650441a 2946 gnome optional abiword_3.0.2-6.dsc
 8e5f86edcf0062e770e596dd222d300c 48948 gnome optional abiword_3.0.2-6.debian.tar.xz

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEJeP/LX9Gnb59DU5Qr8/sjmac4cIFAlqlAaYACgkQr8/sjmac
4cKSvA//QkOXL7Cn0ybz4El6JX7V3u2mHVZLnskt9t63ZRMOVen/gnPgNBVKPXiU
7iVbpBishgM5UD30Qolkz6ncMQrVSGWXU/QZjELGQqKFD1OoEHJPMRvY+Hg/ctMC
+CP6XgUCMcRIGbj5Ara/e+0pBnFfue6jmUeJeNi+taDciOB61Dyu0NiRapfx9oJd
uRc5yjGjvSoOj65jk26wiC/ikfsc9HrENC9lnKb+iTsJ8PkxehbIHL+66HKUxY0X
f4/SOtiYUvRKdKK/Us68BsT5PyL5Qz2tRR8eQfWFklR/hsIDX5hz4NaEnbB7MSF/
0ySYQoOzYSNMkE3Pjf60GXMxMOBVH5za+jtU7Ew1ORHi600imDggZfQ1ShAOynEM
ONv7sjvwee8myWIic84awEfrnkkvmNGpYZvcMX0uaBIU+lNiyO3sY8Cm6Td/Ug3l
vzDXdb8FVHW75EGRrBuKnv1Mcq/NY0y7n/2qGsgeb8M2GBZkU3dcladLW5A7WWsb
5oT9034ZdtlpJcCH7FN4bU5AQcACMRoJVXf42glWWRjnHWab+ea6DiMtd0Ga9oNT
suPsuLRH3gtXMgHEu4QeJtgGMVXEeGhhaQ5BApP6Z8TijO0HH9AjZs+JuYwVsL5g
bWsV6BiS7LDqaHdqG+3GyYOKLiHAEAAsMz4DjN4uuemoIgRecZg=
=AWFj
-----END PGP SIGNATURE-----

Message #15 received at 884923@bugs.debian.org (full text, mbox, reply):

From: Jeremy Bicha <jbicha@debian.org>

To: Salvatore Bonaccorso <carnil@debian.org>, 884923@bugs.debian.org

Subject: Re: Bug#884923: abiword: CVE-2017-17529

Date: Sun, 11 Mar 2018 07:52:13 -0400

Control: reopen -1
Control: tags -1 moreinfo

On Thu, Dec 21, 2017 at 7:55 AM, Salvatore Bonaccorso <carnil@debian.org> wrote:
> Source: abiword
> Version: 3.0.2-5
> Severity: normal
> Tags: security upstream
>
> Hi,
>
> the following vulnerability was published for abiword.
>
> CVE-2017-17529[0]:
> | af/util/xp/ut_go_file.cpp in AbiWord 3.0.2-2 does not validate strings
> | before launching the program specified by the BROWSER environment
> | variable, which might allow remote attackers to conduct
> | argument-injection attacks via a crafted URL.
>
> Might be possible to just compile with --with-gnomevfs and not use the
> problematic function.

The --with-gnomevfs option is only for gtk2, but we build Abiword with gtk3.

Also, it would be an RC bug to actually depend on gnome-vfs [1]

https://lists.debian.org/debian-devel/2018/02/msg00169.html

Has this issue even been reported to the Abiword developers?

Thanks,
Jeremy Bicha

Message #26 received at 884923@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Jeremy Bicha <jbicha@debian.org>, 884923@bugs.debian.org

Cc: Debian Security Team <team@security.debian.org>

Subject: Re: Bug#884923: abiword: CVE-2017-17529

Date: Sun, 11 Mar 2018 13:40:29 +0100

Hi Jeremy,

On Sun, Mar 11, 2018 at 07:52:13AM -0400, Jeremy Bicha wrote:
> Control: reopen -1
> Control: tags -1 moreinfo
> 
> On Thu, Dec 21, 2017 at 7:55 AM, Salvatore Bonaccorso <carnil@debian.org> wrote:
> > Source: abiword
> > Version: 3.0.2-5
> > Severity: normal
> > Tags: security upstream
> >
> > Hi,
> >
> > the following vulnerability was published for abiword.
> >
> > CVE-2017-17529[0]:
> > | af/util/xp/ut_go_file.cpp in AbiWord 3.0.2-2 does not validate strings
> > | before launching the program specified by the BROWSER environment
> > | variable, which might allow remote attackers to conduct
> > | argument-injection attacks via a crafted URL.
> >
> > Might be possible to just compile with --with-gnomevfs and not use the
> > problematic function.
> 
> The --with-gnomevfs option is only for gtk2, but we build Abiword with gtk3.
> 
> Also, it would be an RC bug to actually depend on gnome-vfs [1]
> 
> https://lists.debian.org/debian-devel/2018/02/msg00169.html
> 
> Has this issue even been reported to the Abiword developers?

Don't think this was ever forwarded to abiword's upstream. Is abiword
upstream still active?

Regards,
Salvatore

Message #31 received at 884923@bugs.debian.org (full text, mbox, reply):

From: Jeremy Bicha <jbicha@debian.org>

To: Salvatore Bonaccorso <carnil@debian.org>

Cc: 884923@bugs.debian.org, Debian Security Team <team@security.debian.org>

Subject: Re: Bug#884923: abiword: CVE-2017-17529

Date: Sun, 11 Mar 2018 08:45:42 -0400

On Sun, Mar 11, 2018 at 8:40 AM, Salvatore Bonaccorso <carnil@debian.org> wrote:
> Is abiword upstream still active?

Yes.

https://bugzilla.abisource.com/

Here's a git mirror of their svn repo. The git mirror is sometimes a
bit out of date.
https://github.com/AbiWord/abiword/commits/trunk

Thanks,
Jeremy Bicha

Message #36 received at 884923@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Jeremy Bicha <jbicha@debian.org>

Cc: 884923@bugs.debian.org, Debian Security Team <team@security.debian.org>

Subject: Re: Bug#884923: abiword: CVE-2017-17529

Date: Mon, 12 Mar 2018 22:07:05 +0100

Jeremy,

On Sun, Mar 11, 2018 at 08:45:42AM -0400, Jeremy Bicha wrote:
> On Sun, Mar 11, 2018 at 8:40 AM, Salvatore Bonaccorso <carnil@debian.org> wrote:
> > Is abiword upstream still active?
> 
> Yes.
> 
> https://bugzilla.abisource.com/
> 
> Here's a git mirror of their svn repo. The git mirror is sometimes a
> bit out of date.
> https://github.com/AbiWord/abiword/commits/trunk

Thanks, indeed for the pointer.

Can you forward the issue to upstream?

Regards,
Salvatore

Message #41 received at 884923@bugs.debian.org (full text, mbox, reply):

From: Gabriel Corona <gabriel.corona@enst-bretagne.fr>

To: 884923@bugs.debian.org

Subject: Re: abiword: CVE-2017-17529

Date: Sun, 27 May 2018 22:54:06 +0200

Hi,

Are you sure this is vulnerable ? I did not manage to trigger anything
problematic.

The code referenced is (in fallback_open_uri):


gint    argc;
gchar **argv = NULL;
char   *cmd_line = g_strconcat (browser, " %1", NULL);

if (g_shell_parse_argv (cmd_line, &argc, &argv, err)) {
  /* check for '%1' in an argument and substitute the url
   * otherwise append it */
  gint i;
  char *tmp;

  for (i = 1 ; i < argc ; i++)
    if (NULL != (tmp = strstr (argv[i], "%1"))) {
      *tmp = '\0';
      tmp = g_strconcat (argv[i],
        (clean_url != NULL) ? (char const *)clean_url : url,
        tmp+2, NULL);
      g_free (argv[i]);
      argv[i] = tmp;
      break;
    }

  /* there was actually a %1, drop the one we added */
  if (i != argc-1) {
    g_free (argv[argc-1]);
    argv[argc-1] = NULL;
  }
  g_spawn_async (NULL, argv, NULL, G_SPAWN_SEARCH_PATH,
    NULL, NULL, NULL, err);
  g_strfreev (argv);
}
g_free (cmd_line);


This seems correct with respect to injection through the URI:
the URI string cannot be expanded into multiple arguments
and is not passed to `system()`.

-- 
Gabriel

Message #46 received at 884923@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: 884923@bugs.debian.org

Cc: Jeremy Bicha <jbicha@debian.org>, Debian Security Team <team@security.debian.org>

Subject: Re: Bug#884923: abiword: CVE-2017-17529

Date: Fri, 4 Jan 2019 21:31:40 +0100

Hi Jeremy,

On Mon, Mar 12, 2018 at 10:07:05PM +0100, Salvatore Bonaccorso wrote:
> Jeremy,
> 
> On Sun, Mar 11, 2018 at 08:45:42AM -0400, Jeremy Bicha wrote:
> > On Sun, Mar 11, 2018 at 8:40 AM, Salvatore Bonaccorso <carnil@debian.org> wrote:
> > > Is abiword upstream still active?
> > 
> > Yes.
> > 
> > https://bugzilla.abisource.com/
> > 
> > Here's a git mirror of their svn repo. The git mirror is sometimes a
> > bit out of date.
> > https://github.com/AbiWord/abiword/commits/trunk
> 
> Thanks, indeed for the pointer.
> 
> Can you forward the issue to upstream?

Did you got a chance to ping upstream on that issue and report it?

Regards,
Salvatore

Message #51 received at 884923@bugs.debian.org (full text, mbox, reply):

From: Moritz Mühlenhoff <jmm@inutil.org>

To: Gabriel Corona <gabriel.corona@enst-bretagne.fr>

Cc: 884923@bugs.debian.org

Subject: Re: abiword: CVE-2017-17529

Date: Fri, 4 Jan 2019 23:05:44 +0100

On Sun, May 27, 2018 at 10:54:06PM +0200, Gabriel Corona wrote:
> This seems correct with respect to injection through the URI:
> the URI string cannot be expanded into multiple arguments
> and is not passed to `system()`.

Agreed, this CVE seems like a non issue, the CVE entry at MITRE
also only refers back to the Security Tracker...

Cheers,
        Moritz

Message #56 received at 884923@bugs.debian.org (full text, mbox, reply):

From: Jeremy Bicha <jbicha@debian.org>

To: Salvatore Bonaccorso <carnil@debian.org>

Cc: 884923@bugs.debian.org, Debian Security Team <team@security.debian.org>

Subject: Re: Bug#884923: abiword: CVE-2017-17529

Date: Fri, 4 Jan 2019 17:19:47 -0500

On Fri, Jan 4, 2019 at 3:31 PM Salvatore Bonaccorso <carnil@debian.org> wrote:
> Did you got a chance to ping upstream on that issue and report it?

No, but you can if you like.

https://gitlab.gnome.org/World/AbiWord is the current source repo, but
you might need to still use bugzilla for reporting issues.

Thanks,
Jeremy Bicha

Send a report that this bug log contains spam.