← Back to team overview

desktop-packages team mailing list archive

  1. desktop-packages team
  2. Mailing list archive
  3. Message #96305

[Bug 1413643] [NEW] xdg-open command injection vulnerability

  Thread PreviousDate PreviousThread Next 
Public bug reported:

John Houwer discovered a way to cause xdg-open, a tool that
automatically opens URLs in a user's preferred application, to execute
arbitrary commands remotely.

** Affects: xdg-utils
     Importance: Unknown
         Status: Unknown

** Affects: xdg-utils (Ubuntu)
     Importance: Undecided
         Status: New

** Affects: xdg-utils (Debian)
     Importance: Unknown
         Status: Unknown

** Bug watch added: Debian Bug tracker #773085
   http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=773085

** Also affects: xdg-utils (Debian) via
   http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=773085
   Importance: Unknown
       Status: Unknown

** Bug watch added: freedesktop.org Bugzilla #66670
   https://bugs.freedesktop.org/show_bug.cgi?id=66670

** Also affects: xdg-utils via
   https://bugs.freedesktop.org/show_bug.cgi?id=66670
   Importance: Unknown
       Status: Unknown

-- 
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to xdg-utils in Ubuntu.
https://bugs.launchpad.net/bugs/1413643

Title:
  xdg-open command injection vulnerability

Status in Xdg-utils:
  Unknown
Status in xdg-utils package in Ubuntu:
  New
Status in xdg-utils package in Debian:
  Unknown

Bug description:
  John Houwer discovered a way to cause xdg-open, a tool that
  automatically opens URLs in a user's preferred application, to execute
  arbitrary commands remotely.

To manage notifications about this bug go to:
https://bugs.launchpad.net/xdg-utils/+bug/1413643/+subscriptions

Follow ups

References

  Thread PreviousDate PreviousThread Next