[Secure-testing-team] Bug#777722: xdg-open: another command injection vulnerability

Jiri Horner laeqten at gmail.com
Wed Feb 11 22:10:24 UTC 2015 

Package: xdg-utils
Version: 1.1.0~rc1+git20111210-7.3
Severity: grave
Tags: security patch
Justification: user security hole

Hi,

there is a long-standing issue with xdg-open on debian -- it parses all files it is trying to open. This is easily exploitable. Requirements are similar as in last RCE: Window Manager which is _NOT_ one of the following:

* KDE
* GNOME
* MATE
* XFCE
* ENLIGHTENMENT

Problem is caused by name collision in local variables, which are apparently not very local in this case (maybe also dash problem?)

Exploit was made from wikipedia image [0].

It would be nice to have it fixed in jessie.

Cheers,

Jiri

[0] https://commons.wikimedia.org/wiki/Category:Unidentified_animals#mediaviewer/File:Augochlora_buscki,_M,_Back5,_Puerto_Rico,_Yauco_2014-09-15-18.11.39_ZS_PMax_(16292752499).jpg


-- System Information:
Debian Release: 8.0
  APT prefers testing
  APT policy: (990, 'testing'), (500, 'testing-updates'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 3.16.0-4-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

xdg-utils depends on no packages.

Versions of packages xdg-utils recommends:
pn  libfile-mimeinfo-perl  <none>
pn  libnet-dbus-perl       <none>
pn  libx11-protocol-perl   <none>
ii  x11-utils              7.7+2
ii  x11-xserver-utils      7.7+3+b1

Versions of packages xdg-utils suggests:
pn  gvfs-bin  <none>

-- no debconf information
-------------- next part --------------
A non-text attachment was scrubbed...
Name: xdg-open.diff
Type: text/x-diff
Size: 1162 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20150211/b00f760d/attachment-0001.diff>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: exploit.jpg
Type: image/jpeg
Size: 49626 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20150211/b00f760d/attachment-0001.jpg>

More information about the Secure-testing-team mailing list