desktop-packages team mailing list archive

Thread
Date

[Bug 1413643] Re: xdg-open command injection vulnerability

To: desktop-packages@xxxxxxxxxxxxxxxxxxx
From: Thaddaeus Tintenfisch <thad.fisch@xxxxxxxxx>
Date: Thu, 22 Jan 2015 15:58:40 -0000
Reply-to: Bug 1413643 <1413643@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

** Description changed:

  John Houwer discovered a way to cause xdg-open, a tool that
  automatically opens URLs in a user's preferred application, to execute
  arbitrary commands remotely.
+ 
+ https://www.debian.org/security/2015/dsa-3131

-- 
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to xdg-utils in Ubuntu.
https://bugs.launchpad.net/bugs/1413643

Title:
  xdg-open command injection vulnerability

Status in Xdg-utils:
  Unknown
Status in xdg-utils package in Ubuntu:
  Invalid
Status in xdg-utils package in Debian:
  Unknown

Bug description:
  John Houwer discovered a way to cause xdg-open, a tool that
  automatically opens URLs in a user's preferred application, to execute
  arbitrary commands remotely.

  https://www.debian.org/security/2015/dsa-3131

To manage notifications about this bug go to:
https://bugs.launchpad.net/xdg-utils/+bug/1413643/+subscriptions

References

[Bug 1413643] [NEW] xdg-open command injection vulnerability
From: Thaddaeus Tintenfisch, 2015-01-22