desktop-packages team mailing list archive

Thread
Date

[Bug 1413643] Re: xdg-open command injection vulnerability

To: desktop-packages@xxxxxxxxxxxxxxxxxxx
From: Marc Deslauriers <marc.deslauriers@xxxxxxxxxxxxx>
Date: Thu, 22 Jan 2015 16:04:18 -0000
Reply-to: Bug 1413643 <1413643@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Ubuntu is not vulnerable to this issue as it uses an older version of
xds-utils.

Please see the security tracker:

http://people.canonical.com/~ubuntu-security/cve/2014/CVE-2014-9622.html

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2014-9622

** Changed in: xdg-utils (Ubuntu)
       Status: New => Invalid

-- 
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to xdg-utils in Ubuntu.
https://bugs.launchpad.net/bugs/1413643

Title:
  xdg-open command injection vulnerability

Status in Xdg-utils:
  Unknown
Status in xdg-utils package in Ubuntu:
  Invalid
Status in xdg-utils package in Debian:
  Unknown

Bug description:
  John Houwer discovered a way to cause xdg-open, a tool that
  automatically opens URLs in a user's preferred application, to execute
  arbitrary commands remotely.

  https://www.debian.org/security/2015/dsa-3131

To manage notifications about this bug go to:
https://bugs.launchpad.net/xdg-utils/+bug/1413643/+subscriptions

References

[Bug 1413643] [NEW] xdg-open command injection vulnerability
From: Thaddaeus Tintenfisch, 2015-01-22