Hi,
Nico Golde wrote:
> Source: xdg-utils
> Severity: grave
> Tags: security patch
>
> Hi,
> the following CVE (Common Vulnerabilities & Exposures) id was
> published for xdg-utils.
The code in question is not present in the Debian package, because I have
patched it to use run-mailcap or sensible-browser instead.
The code:
> | browser_with_arg=`echo "$browser" | sed s#%s#"$1"#`
> |
> | if [ x"$browser_with_arg" = x"$browser" ]; then "$browser" "$1";
> | else $browser_with_arg;
> | fi
has been replaced by the patch debian/patches/xdg-open-generic with:
if which run-mailcap >/dev/null &&
(echo "$1" | grep -q '^file://' ||
! echo "$1" | egrep -q '^[a-zA-Z+\.\-]+:'); then
local file=$(echo "$1" | sed 's%^file://%%')
run-mailcap --action=view "$file"
else
sensible-browser "$1"
fi
which does not use sed in the insecure way referred to by the CVE.
--
Pelle
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
