ESB-2018.1611 - [Debian] xdg-utils: Execute arbitrary code/commands - Remote with user interaction 2018-05-28

Printable version
PGP/GPG verifiable version

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2018.1611
                         xdg-utils security update
                                28 May 2018

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           xdg-utils
Publisher:         Debian
Operating System:  Debian GNU/Linux 9
                   Debian GNU/Linux 8
Impact/Access:     Execute Arbitrary Code/Commands -- Remote with User Interaction
Resolution:        Patch/Upgrade
CVE Names:         CVE-2017-18266  

Reference:         ESB-2018.1551

Original Bulletin: 
   http://www.debian.org/security/2018/dsa-4211

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

- - -------------------------------------------------------------------------
Debian Security Advisory DSA-4211-1                   security@debian.org
https://www.debian.org/security/                            Luciano Bello
May 25, 2018                          https://www.debian.org/security/faq
- - -------------------------------------------------------------------------

Package        : xdg-utils
CVE ID         : CVE-2017-18266
Debian Bug     : 898317

Gabriel Corona discovered that xdg-utils, a set of tools for desktop
environment integration, is vulnerable to argument injection attacks. If
the environment variable BROWSER in the victim host has a "%s" and the
victim opens a link crafted by an attacker with xdg-open, the malicious
party could manipulate the parameters used by the browser when opened.
This manipulation could set, for example, a proxy to which the network
traffic could be intercepted for that particular execution.

For the oldstable distribution (jessie), this problem has been fixed
in version 1.1.0~rc1+git20111210-7.4+deb8u1.

For the stable distribution (stretch), this problem has been fixed in
version 1.1.1-1+deb9u1.

We recommend that you upgrade your xdg-utils packages.

For the detailed security status of xdg-utils please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/xdg-utils

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org
- -----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEayzFlnvRveqeWJspbsLe9o/+N3QFAlsIeHIACgkQbsLe9o/+
N3QWGw/8CwtaHUg4RLm1vZ+6/gQatNNTE7Hzq1v5p9Y2A3MRGF7aklTHlyg9Pa1s
fO2JYyeInMNwFVohL0CHr1iPbs/NSuFCEvBMONXrFChlKpOfp/UBv2xc/mqM1bXl
+9RAfZ30ZcrNs0mKJwzOm927ec+TZZLukLJPXvVqcANmy4GOPpraZWMz037xawEG
wEq9MdFhqLbBwXrqBIutP11/8BUUZVPlZj/dTeqp3lqlvnOx5iD5MSGxiU7vag7c
MeuDen5hyjFX/NgoXkSURcnFiOjc6zlWS6bxR5cs0nW9PdwKHJk8XP+g8uVrDIVd
CNgQlJU+liVQG1ZuM2OhLf0nkTC33QChRieZ3lYrPdnGi3U4Jc5D27HrgxKk6Mx0
g9QLF37DEZPtsp2QsRBA3IuAievwmgbpud2l65SosXnh08cImyhnkzSue/efMns5
zDZcx6xAOusz1KEFh5wSOnYgYFrtH6r8BliDFQX1q5xhLZCvndnoiDrZ94Ptgx8Q
WP9h9SqfSLtDOKUj2c1WoJA0m1MXzXh+/lDGGAPpRNqTo/+7KeU3/yu2D1ZalAcC
1upPysxYQlCo5JY7dfdNxu9wbzbOWeUY/v6mTBPxALOrEKZpDuPhxawtFSD0MOS0
LQNRnH5bh9ubJAMXumeIkIamtWoXQjDJuKapds7eG3aYUtI2Pf8=
=0fNN
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBWwtaDGaOgq3Tt24GAQhgiA//d9UD9HIcRr1H7iGLC7LUMiZag4n9Th+C
Uwk0YUJhs25CJlYFVWyzuIDfWlVarPQ8ciHvM6Q0BvXWy0g7Z4XoOllM9ZS1Dh6o
olJ5g/06Mg6oXAr6DMzHJZmbgwTbeo7luo8p1Ww7wfa7i8ynobOPWZWoKCRV1AL9
Z8jUudRxVjbBMPfUUnxcgzF1bP8cT/5EncalQdJlLvSVJWzJb4LB6diRDk9STxa6
pzlKWJOwEul8n+PHKwFpx/zqhUm9ic1pjjHq1C2XzQP2BAcdcJcJz0HNIvuWnke1
ABLBqOjLxa/lwgPbNOiZnND8Wd/diAqcrN8ucZvXDWzQSFK+K97q4dkhSu0ZahK2
FahlUAtE7B0ZuKO1ghzOWLENEwehQcszt18BiZmbCbdsa6KZq/QFx9y4WwxA5QGI
B+Z7npZsZcTewDZqqfEXKpm09GNIr2rkZC9loKRtP7lCaDEMCweypJt5biWkczXR
tHHWXqUhK1x4ZOM+4JE75pO7Rcn/0QwwdYN0YdUXBp2i31fG0rN4JvcH9g33e+xS
VEUrqBd/n/17ALTD9HgoK8cJxVnsNQUAYkFGk45lljY9vi4PHJZwTrw1T3J8R44w
+duWhx1u2fQ0CmiDGtwh6D8PHIwcYUgdL0W+vFQ8DSh2089iI94MXH2F5SnHHVGd
C1E0fGmoVio=
=CwGI
-----END PGP SIGNATURE-----

« Back to bulletins