Ubuntu
thunar package

[SRU] Thunar CVE-2021-32563 (focal, groovy, hirsute)

Bug #1931510 reported by Sean Davis
272
This bug affects 3 people
Affects Status Importance Assigned to Milestone
thunar (Ubuntu)
Fix Released
Undecided
Unassigned
Focal
Confirmed
Undecided
Unassigned
Groovy
Won't Fix
Undecided
Unassigned
Hirsute
Won't Fix
Undecided
Unassigned
Impish
Fix Released
Undecided
Unassigned

Bug Description

[Impact]

CVE-2021-32563 affects Thunar versions found in supported releases.
https://nvd.nist.gov/vuln/detail/CVE-2021-32563

From the CVE:

An issue was discovered in Thunar before 4.16.7 and 4.17.x before 4.17.2. When called with a regular file as a command-line argument, it delegates to a different program (based on the file type) without user confirmation. This could be used to achieve code execution.

Related upstream issues:
- https://gitlab.xfce.org/xfce/thunar/-/issues/121
- https://gitlab.xfce.org/xfce/thunar/-/issues/575

The patches required for each supported release can be found here:

1.8.x for focal, groovy:
https://gitlab.xfce.org/xfce/thunar/-/commit/1b85b96ebf7cb9bf6a3ddf1acee7643643fdf92d

4.16.x for hirsute:
https://gitlab.xfce.org/xfce/thunar/-/commit/9165a61f95e43cc0b5abf9b98eee2818a0191e0b
https://gitlab.xfce.org/xfce/thunar/-/commit/3b54d9d7dbd7fd16235e2141c43a7f18718f5664

[Test Plan]

1. Execute `thunar ~/Pictures/icon.png`
2. The default application loads the file.

Expected behavior:
Thunar should instead open, selecting the file.

[Where problems could occur]

Scripts and applications depending on the previous functionality will be adversely affected. Since this functionality (opening the default application instead of navigating to it) is specific to Thunar and not found in other file managers, this change should have minimal regression impact.

[Other Info]

We've done some preliminary work to resolve this issue.

https://github.com/Xubuntu/xubuntu-development/issues/6 with a verification for the fix.

Builds can be found here:
https://launchpad.net/~xubuntu-dev/+archive/ubuntu/sru-staging

Revision history for this message
Sean Davis (bluesabre) wrote :

Attaching debdiff for focal.

Changed in thunar (Ubuntu Impish):
status: New → Fix Released
Revision history for this message
Sean Davis (bluesabre) wrote :

Attaching debdiff for groovy.

Revision history for this message
Sean Davis (bluesabre) wrote :

Attaching debdiff for hirsute.

Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in thunar (Ubuntu Focal):
status: New → Confirmed
Changed in thunar (Ubuntu Groovy):
status: New → Confirmed
Changed in thunar (Ubuntu Hirsute):
status: New → Confirmed
Revision history for this message
John T (jt252) wrote :

I have confirmed that this bug affects me using Xubuntu 20.10/

Revision history for this message
Sean Davis (bluesabre) wrote :

Groovy is now EOL.

Changed in thunar (Ubuntu Groovy):
status: Confirmed → Won't Fix
Revision history for this message
Brian Murray (brian-murray) wrote :

The Hirsute Hippo has reached End of Life, so this bug will not be fixed for that release.

Changed in thunar (Ubuntu Hirsute):
status: Confirmed → Won't Fix
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.