xdg-open command injection vulnerability
Bug #1413643 reported by
Thaddaeus Tintenfisch
This bug affects 2 people
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Xdg-utils |
Fix Released
|
Medium
|
|||
xdg-utils (Debian) |
Fix Released
|
Unknown
|
|||
xdg-utils (Ubuntu) |
Invalid
|
Undecided
|
Unassigned |
Bug Description
John Houwer discovered a way to cause xdg-open, a tool that automatically opens URLs in a user's preferred application, to execute arbitrary commands remotely.
description: | updated |
Changed in xdg-utils (Debian): | |
status: | Unknown → Fix Released |
Changed in xdg-utils: | |
importance: | Unknown → Medium |
status: | Unknown → Fix Released |
To post a comment you must log in.
A Gentoo user discovered [1] a vulnerability in xdg-open which allows for arbitrary command injection. I was able to confirm it by running the following command, and it worked with both our packaged version of xdg-utils (1.1.0_rc1 plus some patches) and current git master:
DE="generic" XDG_CURRENT_ DESKTOP= "" xdg-open 'http:// 127.0.0. 1/$(xterm) ' START /usr/bin/ chromium- browser "http:// 127.0.0. 1/$(xterm)"
That command should open an xterm terminal instead of chromium. Further details available at our bug.
[1] https:/ /bugs.gentoo. org/show_ bug.cgi? id=472888