Bug#777722: marked as done (xdg-open: CVE-2015-1877: command injection vulnerability)

[Debian Bug Tracking System]

Your message dated Sun, 22 Feb 2015 16:20:27 +0000
with message-id <e1ypzgd-0000c9...@franck.debian.org>
and subject line Bug#777722: fixed in xdg-utils 1.1.0~rc1+git20111210-7.4
has caused the Debian Bug report #777722,
regarding xdg-open: CVE-2015-1877: command injection vulnerability
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
777722: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=777722
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Package: xdg-utils
Version: 1.1.0~rc1+git20111210-7.3
Severity: grave
Tags: security patch
Justification: user security hole

Hi,

there is a long-standing issue with xdg-open on debian -- it parses all files 
it is trying to open. This is easily exploitable. Requirements are similar as 
in last RCE: Window Manager which is _NOT_ one of the following:

* KDE
* GNOME
* MATE
* XFCE
* ENLIGHTENMENT

Problem is caused by name collision in local variables, which are apparently 
not very local in this case (maybe also dash problem?)

Exploit was made from wikipedia image [0].

It would be nice to have it fixed in jessie.

Cheers,

Jiri

[0] 
https://commons.wikimedia.org/wiki/Category:Unidentified_animals#mediaviewer/File:Augochlora_buscki,_M,_Back5,_Puerto_Rico,_Yauco_2014-09-15-18.11.39_ZS_PMax_(16292752499).jpg


-- System Information:
Debian Release: 8.0
  APT prefers testing
  APT policy: (990, 'testing'), (500, 'testing-updates'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 3.16.0-4-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

xdg-utils depends on no packages.

Versions of packages xdg-utils recommends:
pn  libfile-mimeinfo-perl  <none>
pn  libnet-dbus-perl       <none>
pn  libx11-protocol-perl   <none>
ii  x11-utils              7.7+2
ii  x11-xserver-utils      7.7+3+b1

Versions of packages xdg-utils suggests:
pn  gvfs-bin  <none>

-- no debconf information

--- xdg-open.orig	2015-02-11 21:40:42.560282993 +0100
+++ xdg-open	2015-02-11 21:44:10.695894428 +0100
@@ -538,16 +538,16 @@
 
 DEBUG 3 "$xdg_user_dir:$xdg_system_dirs"
         for x in `echo "$xdg_user_dir:$xdg_system_dirs" | sed 's/:/ /g'`; do
-            local file
+            local desktop_file
             # look for both vendor-app.desktop, vendor/app.desktop
             if [ -r "$x/applications/$default" ]; then
-              file="$x/applications/$default"
+              desktop_file="$x/applications/$default"
             elif [ -r "$x/applications/`echo $default | sed -e 's|-|/|'`" ]; then
-              file="$x/applications/`echo $default | sed -e 's|-|/|'`"
+              desktop_file="$x/applications/`echo $default | sed -e 's|-|/|'`"
             fi
 
-            if [ -r "$file" ] ; then
-                set -- $(sed -n 's/^Exec\(\[[^]]*\]\)\{0,1\}=//p' "$file")
+            if [ -r "$desktop_file" ] ; then
+                set -- $(sed -n 's/^Exec\(\[[^]]*\]\)\{0,1\}=//p' "$desktop_file")
                 command_exec="$(which "$1" 2> /dev/null)"
                 if [ -x "$command_exec" ] ; then
                     shift

--- End Message ---

--- Begin Message ---

Source: xdg-utils
Source-Version: 1.1.0~rc1+git20111210-7.4

We believe that the bug you reported is fixed in the latest version of
xdg-utils, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 777...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Salvatore Bonaccorso <car...@debian.org> (supplier of updated xdg-utils package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Fri, 20 Feb 2015 16:24:18 +0100
Source: xdg-utils
Binary: xdg-utils
Architecture: source all
Version: 1.1.0~rc1+git20111210-7.4
Distribution: unstable
Urgency: medium
Maintainer: Per Olofsson <pe...@debian.org>
Changed-By: Salvatore Bonaccorso <car...@debian.org>
Description:
 xdg-utils  - desktop integration utilities from freedesktop.org
Closes: 777722
Changes:
 xdg-utils (1.1.0~rc1+git20111210-7.4) unstable; urgency=medium
 .
   * Non-maintainer upload.
   * Add CVE-2015-1877.patch patch.
     CVE-2015-1877: Command injection vulnerability due to local variables
     collision.
     Thanks to Jiri Horner <laeq...@gmail.com> (Closes: #777722)
Checksums-Sha1:
 8bb1afb72fee7533f91672f7e1e40d255f7829ec 2013 
xdg-utils_1.1.0~rc1+git20111210-7.4.dsc
 a70b691c28a3dcdc4de3e1bdded6cc61c854281a 10896 
xdg-utils_1.1.0~rc1+git20111210-7.4.debian.tar.xz
 bca98ef1a7a9f24c35d6221437f87f8a0af6ab16 64960 
xdg-utils_1.1.0~rc1+git20111210-7.4_all.deb
Checksums-Sha256:
 5a5044006d3d9c8311bd528cb50cb1683bc80f75520783781b0ce466b688e6fb 2013 
xdg-utils_1.1.0~rc1+git20111210-7.4.dsc
 7c85d5c1bd668d09241faf37f566f0fed0aa1bceb5c346c678574c94fa2a2e59 10896 
xdg-utils_1.1.0~rc1+git20111210-7.4.debian.tar.xz
 1fb851944ff152eedeba82a61daef379017e55aa0258d48ae50b991806abb0b6 64960 
xdg-utils_1.1.0~rc1+git20111210-7.4_all.deb
Files:
 1904b25be85d8d4f71b19205e898cfdd 2013 utils optional 
xdg-utils_1.1.0~rc1+git20111210-7.4.dsc
 c363a60bd2d223b9f278246e5592437d 10896 utils optional 
xdg-utils_1.1.0~rc1+git20111210-7.4.debian.tar.xz
 81325ed28c882a462e8d6eb472776c82 64960 utils optional 
xdg-utils_1.1.0~rc1+git20111210-7.4_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCgAGBQJU51NCAAoJEAVMuPMTQ89ECcIP/RS6hosOgdfc24IL/3Wj66nN
DyhgGJ1NXckhwZ4n4xpz5HBpsuy+gCIX8eSU50jlvgfWh/rUx+JU3MF0X4GJ2ESh
bq+UM/oTi/FYX5QBAciH7ClQbjaMTjqdvgolDe8k1WZ3sGwpvQaVZY5WFr11JsN7
ICJaNTJZuhE7hFd2HMrBnFFoy/5uDjHzLs1ORfZjxPu9axLs5ihFCTtbyCihrtxC
ZmCBl6gQCeBXUgJc+keC7suMJfEYQMqhKAB+Lkc3D+xpy9p3Nbz+0MgHFEsq4Do9
0MchvVkg5FPIBrbN8Tb0kK9hR121achVNO8xU4CKDbw50MoIz4LXZsq9w/+Nfrui
wmVRKl3hvh6jo7HfmyxMSMIE7PB75XJebE++KWhFRuTdcglNa9HG85tz/j9HEwGD
Xio9tdeXaZDiao1STMPyQxmLL6UjyCoJK+Nf/2JNaVN6oYLzhPAyP3xXVTuJzmAj
Lz+E0PHsd+869QVztfMvNxjaOY6AkLghMn81Ew1825YA99yma3TNWmc9oeCP/Bf2
0pA1AONCXE3r8co4VntYCyhhVLvdsTRQztucuutxp6luH6vlbANAN1MCR0hwXf1+
Pu1R+mZHPL0dc/B6+/btOdkATZRrU2fy9n/H/5vyWeYTBWanqYpnLuab54VTwpsF
3puTX5xqPYt6tw6CMsDI
=/8C/
-----END PGP SIGNATURE-----

--- End Message ---