desktop-packages team mailing list archive
-
desktop-packages team
-
Mailing list archive
-
Message #96322
[Bug 1413643] Re: xdg-open command injection vulnerability
Launchpad has imported 22 comments from the remote bug at
https://bugs.freedesktop.org/show_bug.cgi?id=66670.
If you reply to an imported comment from within Launchpad, your comment
will be sent to the remote bug automatically. Read more about
Launchpad's inter-bugtracker facilities at
https://help.launchpad.net/InterBugTracking.
------------------------------------------------------------------------
On 2013-07-07T15:09:03+00:00 Chris Reffett wrote:
A Gentoo user discovered [1] a vulnerability in xdg-open which allows
for arbitrary command injection. I was able to confirm it by running the
following command, and it worked with both our packaged version of xdg-
utils (1.1.0_rc1 plus some patches) and current git master:
DE="generic" XDG_CURRENT_DESKTOP="" xdg-open 'http://127.0.0.1/$(xterm)'
START /usr/bin/chromium-browser "http://127.0.0.1/$(xterm)"
That command should open an xterm terminal instead of chromium. Further
details available at our bug.
[1] https://bugs.gentoo.org/show_bug.cgi?id=472888
Reply at: https://bugs.launchpad.net/ubuntu/+source/xdg-
utils/+bug/1413643/comments/0
------------------------------------------------------------------------
On 2013-07-07T15:28:09+00:00 Chris Reffett wrote:
This looks kind of similar to CVE-2008-0386 [1], though I don't believe
shell metacharacters are the issue here. Different causes, similar
impact.
Reply at: https://bugs.launchpad.net/ubuntu/+source/xdg-
utils/+bug/1413643/comments/1
------------------------------------------------------------------------
On 2014-11-14T23:07:53+00:00 Rdieter-math wrote:
Reminded of this today, will take a closer look over the weekend.
Reply at: https://bugs.launchpad.net/ubuntu/+source/xdg-
utils/+bug/1413643/comments/2
------------------------------------------------------------------------
On 2014-11-15T17:56:47+00:00 Alan Coopersmith wrote:
Posted to full-disclosure security mailing list yesterday:
http://seclists.org/fulldisclosure/2014/Nov/36
Reply at: https://bugs.launchpad.net/ubuntu/+source/xdg-
utils/+bug/1413643/comments/3
------------------------------------------------------------------------
On 2014-11-15T19:06:37+00:00 Rdieter-math wrote:
I'm starting to wonder if this is specific to xdg-utils at all.
Skipping xdg-open and running browsers directly:
/usr/bin/google-chrome-stable "http://127.0.0.1/$(xterm)"
/usr/bin/firefox "http://127.0.0.1/$(xterm)"
etc...
does exactly the same thing.
Reply at: https://bugs.launchpad.net/ubuntu/+source/xdg-
utils/+bug/1413643/comments/4
------------------------------------------------------------------------
On 2014-11-15T19:07:58+00:00 Rdieter-math wrote:
Ah, but using ' instead of " quotes, leads to something that avoids
shell expansion, maybe we can simply go with that.
Reply at: https://bugs.launchpad.net/ubuntu/+source/xdg-
utils/+bug/1413643/comments/5
------------------------------------------------------------------------
On 2014-11-15T19:50:01+00:00 Rdieter-math wrote:
Related here is bug #30453 and commit:
http://cgit.freedesktop.org/xdg/xdg-utils/commit/?id=a616912e48b7ff1d908852739d16525df79471b9
Got some apparent extraneous quoting going on
Reply at: https://bugs.launchpad.net/ubuntu/+source/xdg-
utils/+bug/1413643/comments/6
------------------------------------------------------------------------
On 2014-11-15T20:02:09+00:00 Rdieter-math wrote:
Created attachment 109536
Fix argument quoting to avoid evaluation
First try to address argument quoting issues. Seems to fix test-case
ok, trying other use-cases to verify no regressions. Please test.
Reply at: https://bugs.launchpad.net/ubuntu/+source/xdg-
utils/+bug/1413643/comments/7
------------------------------------------------------------------------
On 2015-01-04T04:09:39+00:00 Rdieter-math wrote:
Any feedback here or alternative patches?
Reply at: https://bugs.launchpad.net/ubuntu/+source/xdg-
utils/+bug/1413643/comments/8
------------------------------------------------------------------------
On 2015-01-04T19:36:14+00:00 Michael Gilbert wrote:
The proposed changes cause a regression. See
http://bugs.debian.org/773085.
Reply at: https://bugs.launchpad.net/ubuntu/+source/xdg-
utils/+bug/1413643/comments/9
------------------------------------------------------------------------
On 2015-01-05T19:10:47+00:00 Rdieter-math wrote:
Created attachment 111778
Fix argument quoting to avoid execution
second try, please test.
Reply at: https://bugs.launchpad.net/ubuntu/+source/xdg-
utils/+bug/1413643/comments/10
------------------------------------------------------------------------
On 2015-01-06T22:04:12+00:00 Michael Gilbert wrote:
There is still a regression. File names with spaces won't work.
Reply at: https://bugs.launchpad.net/ubuntu/+source/xdg-
utils/+bug/1413643/comments/11
------------------------------------------------------------------------
On 2015-01-06T22:23:24+00:00 Rdieter-math wrote:
OK, rats, back to the drawing board, I'll have to work harder to find a
way to make it work while avoiding any 'eval'
Reply at: https://bugs.launchpad.net/ubuntu/+source/xdg-
utils/+bug/1413643/comments/12
------------------------------------------------------------------------
On 2015-01-06T23:40:47+00:00 Rdieter-math wrote:
Created attachment 111873
nuke some extra quoting
first step to proper fix
Reply at: https://bugs.launchpad.net/ubuntu/+source/xdg-
utils/+bug/1413643/comments/13
------------------------------------------------------------------------
On 2015-01-06T23:42:35+00:00 Rdieter-math wrote:
Created attachment 111874
Fix argument quoting to avoid execution
try wrapping vars in "' ... '"
Reply at: https://bugs.launchpad.net/ubuntu/+source/xdg-
utils/+bug/1413643/comments/14
------------------------------------------------------------------------
On 2015-01-19T11:20:39+00:00 Rdieter-math wrote:
Haven't heard any complaints, so...
Committed the latest approach,
http://cgit.freedesktop.org/xdg/xdg-utils/commit/?id=ab071beaabb62ceda3028dd5efa85e8057c29006
Reply at: https://bugs.launchpad.net/ubuntu/+source/xdg-
utils/+bug/1413643/comments/15
------------------------------------------------------------------------
On 2015-01-21T19:59:09+00:00 Geert Janssens wrote:
I'm confused. How exactly can I verify the patch is fixing the arbitrary
command injection vulnerability ?
I have installed xdg-utils-1.1.0-0.35.rc3.fc20, which should carry the
patch.
However the test command
DE="generic" XDG_CURRENT_DESKTOP="" xdg-open 'http://127.0.0.1/$(xterm)'
START /usr/bin/chromium-browser "http://127.0.0.1/$(xterm)"
opens en xterm both before I installed the test package and after.
I would have thought that the new package was supposed open my default
browser (being firefox).
The package that was installed before the update was
xdg-utils.noarch 0:1.1.0-0.31.rc2.fc20
Reply at: https://bugs.launchpad.net/ubuntu/+source/xdg-
utils/+bug/1413643/comments/16
------------------------------------------------------------------------
On 2015-01-21T23:44:13+00:00 Rdieter-math wrote:
I cannot reproduce it anymore.
What shell are you using?
Reply at: https://bugs.launchpad.net/ubuntu/+source/xdg-
utils/+bug/1413643/comments/17
------------------------------------------------------------------------
On 2015-01-21T23:45:29+00:00 Rdieter-math wrote:
fWiw, I get:
$ DE="generic" XDG_CURRENT_DESKTOP="" xdg-open 'http://127.0.0.1/$(xterm)
START /usr/bin/google-chrome-stable http://127.0.0.1/$(xterm)
With a browser window with url: http://127.0.0.1/$(xterm)
Reply at: https://bugs.launchpad.net/ubuntu/+source/xdg-
utils/+bug/1413643/comments/18
------------------------------------------------------------------------
On 2015-01-21T23:47:15+00:00 Rdieter-math wrote:
this test case, however, launches an xterm:
DE="generic" XDG_CURRENT_DESKTOP="" xdg-open "http://127.0.0.1/$(xterm)"
(note the difference here is the argument is double quotes, note single quote)
I'll have to double-check if this is valid or not
Reply at: https://bugs.launchpad.net/ubuntu/+source/xdg-
utils/+bug/1413643/comments/19
------------------------------------------------------------------------
On 2015-01-22T08:12:18+00:00 Florian Weimer wrote:
(In reply to Rex Dieter from comment #19)
> this test case, however, launches an xterm:
>
> DE="generic" XDG_CURRENT_DESKTOP="" xdg-open "http://127.0.0.1/$(xterm)"
>
>
> (note the difference here is the argument is double quotes, note single
> quote)
>
> I'll have to double-check if this is valid or not
This test case is not valid because the user's shell starts xterm before
even calling xdg-open. There is nothing xdg-open can do against this.
Reply at: https://bugs.launchpad.net/ubuntu/+source/xdg-
utils/+bug/1413643/comments/20
------------------------------------------------------------------------
On 2015-01-22T12:29:34+00:00 Rdieter-math wrote:
Thanks, I came to the same conclusion
Reply at: https://bugs.launchpad.net/ubuntu/+source/xdg-
utils/+bug/1413643/comments/21
** Changed in: xdg-utils
Status: Unknown => Fix Released
** Changed in: xdg-utils
Importance: Unknown => Medium
** Bug watch added: Gentoo Bugzilla #472888
https://bugs.gentoo.org/show_bug.cgi?id=472888
** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2008-0386
--
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to xdg-utils in Ubuntu.
https://bugs.launchpad.net/bugs/1413643
Title:
xdg-open command injection vulnerability
Status in Xdg-utils:
Fix Released
Status in xdg-utils package in Ubuntu:
Invalid
Status in xdg-utils package in Debian:
Fix Released
Bug description:
John Houwer discovered a way to cause xdg-open, a tool that
automatically opens URLs in a user's preferred application, to execute
arbitrary commands remotely.
https://www.debian.org/security/2015/dsa-3131
To manage notifications about this bug go to:
https://bugs.launchpad.net/xdg-utils/+bug/1413643/+subscriptions
References
