Univention Bugzilla – Bug 47540
xdg-utils: Multiple issues (4.2)
Last modified: 2018-08-15 16:20:28 CEST
New Debian xdg-utils 1.1.0~rc1+git20111210-7.4+deb8u1 fixes: This update addresses the following issue(s): * * The open_envvar function in xdg-open in xdg-utils before 1.1.3 does not validate strings before launching the program specified by the BROWSER environment variable, which might allow remote attackers to conduct argument-injection attacks via a crafted URL, as demonstrated by %s in this environment variable. (CVE-2017-18266) 1.1.0~rc1+git20111210-7.4+deb8u1 (Sun, 20 May 2018 22:49:00 +0300) * Fix CVE-2017-18266,. - Avoid argument injection vulnerability in open_generic. * CVE-2017-18266 xdg-utils: Argument injection vulnerability in open_envvar() function (CVE-2017-18266)
--- mirror/ftp/4.2/unmaintained/4.2-0/source/xdg-utils_1.1.0~rc1+git20111210-7.4.dsc +++ apt/ucs_4.2-0-errata4.2-4/source/xdg-utils_1.1.0~rc1+git20111210-7.4+deb8u1.dsc @@ -1,3 +1,8 @@ +1.1.0~rc1+git20111210-7.4+deb8u1 [Sun, 20 May 2018 22:49:00 +0300] Nicholas Guriev <guriev-ns@ya.ru>: + + * Fix CVE-2017-18266, closes: #898317. + - Avoid argument injection vulnerability in open_generic. + 1.1.0~rc1+git20111210-7.4 [Fri, 20 Feb 2015 16:24:18 +0100] Salvatore Bonaccorso <carnil@debian.org>: * Non-maintainer upload. <http://10.200.17.11/4.2-4/#351482199496266470>
OK: yaml OK: errata-announce OK: patch OK: piuparts [4.2-4] a9fe723f11 Bug #47540: xdg-utils 1.1.0~rc1+git20111210-7.4+deb8u1 doc/errata/staging/xdg-utils.yaml | 8 ++------ 1 file changed, 2 insertions(+), 6 deletions(-) [4.2-4] 7058d16e27 Bug #47540: xdg-utils 1.1.0~rc1+git20111210-7.4+deb8u1 doc/errata/staging/xdg-utils.yaml | 16 ++++++++++++++++ 1 file changed, 16 insertions(+)
<http://errata.software-univention.de/ucs/4.2/487.html>