*** This bug is a security vulnerability *** Public security bug reported:
[Impact] CVE-2021-32563 affects Thunar versions found in supported releases. https://nvd.nist.gov/vuln/detail/CVE-2021-32563 >From the CVE: An issue was discovered in Thunar before 4.16.7 and 4.17.x before 4.17.2. When called with a regular file as a command-line argument, it delegates to a different program (based on the file type) without user confirmation. This could be used to achieve code execution. Related upstream issues: - https://gitlab.xfce.org/xfce/thunar/-/issues/121 - https://gitlab.xfce.org/xfce/thunar/-/issues/575 The patches required for each supported release can be found here: 1.8.x for focal, groovy: https://gitlab.xfce.org/xfce/thunar/-/commit/1b85b96ebf7cb9bf6a3ddf1acee7643643fdf92d 4.16.x for hirsute: https://gitlab.xfce.org/xfce/thunar/-/commit/9165a61f95e43cc0b5abf9b98eee2818a0191e0b https://gitlab.xfce.org/xfce/thunar/-/commit/3b54d9d7dbd7fd16235e2141c43a7f18718f5664 [Test Plan] 1. Execute `thunar ~/Pictures/icon.png` 2. The default application loads the file. Expected behavior: Thunar should instead open, selecting the file. [Where problems could occur] Scripts and applications depending on the previous functionality will be adversely affected. Since this functionality (opening the default application instead of navigating to it) is specific to Thunar and not found in other file managers, this change should have minimal regression impact. [Other Info] We've done some preliminary work to resolve this issue. https://github.com/Xubuntu/xubuntu-development/issues/6 with a verification for the fix. Builds can be found here: https://launchpad.net/~xubuntu-dev/+archive/ubuntu/sru-staging ** Affects: thunar (Ubuntu) Importance: Undecided Status: Fix Released ** Affects: thunar (Ubuntu Focal) Importance: Undecided Status: New ** Affects: thunar (Ubuntu Groovy) Importance: Undecided Status: New ** Affects: thunar (Ubuntu Hirsute) Importance: Undecided Status: New ** Affects: thunar (Ubuntu Impish) Importance: Undecided Status: Fix Released ** Also affects: thunar (Ubuntu Groovy) Importance: Undecided Status: New ** Also affects: thunar (Ubuntu Hirsute) Importance: Undecided Status: New ** Also affects: thunar (Ubuntu Impish) Importance: Undecided Status: New ** Also affects: thunar (Ubuntu Focal) Importance: Undecided Status: New ** Changed in: thunar (Ubuntu Impish) Status: New => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1931510 Title: [SRU] Thunar CVE-2021-32563 (focal, groovy, hirsute) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/thunar/+bug/1931510/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
