913676 – (CVE-2014-9622) VUL-0: CVE-2014-9622: xdg-utils: remote code execution in xdg-open

Bug 913676 (CVE-2014-9622) - VUL-0: CVE-2014-9622: xdg-utils: remote code execution in xdg-open

Summary: VUL-0: CVE-2014-9622: xdg-utils: remote code execution in xdg-open

Status:	RESOLVED FIXED

Alias:	CVE-2014-9622

Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents (show other bugs)
Version:	unspecified
Hardware:	Other Other

Priority:	P3 - Medium Severity: Major
Target Milestone:	---
Assignee:	Antonio Larrosa
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/112765/
Whiteboard:
Keywords:

Depends on:
Blocks:

Clone This Bug

Reported:	2015-01-19 12:18 UTC by Victor Pereira
Modified:	2015-03-27 14:44 UTC (History)
CC List:	1 user (show)

See Also:
Found By:	Security Response Team
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Victor Pereira 2015-01-19 12:18:36 UTC

rh#1183629

It was reported that remote code execution is possible in xdg-utils.


References:
https://bugs.freedesktop.org/show_bug.cgi?id=66670
https://bugzilla.redhat.com/show_bug.cgi?id=1183629
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-9622
http://www.debian.org/security/2015/dsa-3131
http://people.canonical.com/~ubuntu-security/cve/2014/CVE-2014-9622.html
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=773085

Comment 1 Swamp Workflow Management 2015-01-19 23:04:15 UTC

bugbot adjusting priority

Comment 3 Antonio Larrosa 2015-01-20 13:43:46 UTC

SLE11 is not affected by this bug (the xdg-utils version included is too old)
SLE12 wasn't affected by this bug in xdg-open since there was another bug in xdg-mime that was preventing it from happening. Once xdg-mime was fixed (to return only one result in a specific case) then the rce was reproducible in xdg-open and I backported the upstream patch ( https://build.suse.de/request/show/48670 )

I also commited the upstream patch to openSUSE Factory ( https://build.opensuse.org/request/show/282051 ) and openSUSE 13.2 ( https://build.opensuse.org/request/show/282078 )

Comment 4 Antonio Larrosa 2015-01-20 13:51:21 UTC

It seems at the same time I was commiting my fix for openSUSE:Factory the sources at X11:common:Factory/xdg-utils were updated from upstream, thus already including this patch, so I revoked that submit request.

Comment 5 Victor Pereira 2015-01-20 15:25:54 UTC

ok so its an opensuse only issue, right?

Comment 6 Antonio Larrosa 2015-01-21 16:15:58 UTC

SLE12 is not affected right now[1], but if someone ever fixes the xdg-mime bug[2], then this issue would appear. So I think it's better to fix both of them at once.

[1] You can check this by running
DE="generic" XDG_CURRENT_DESKTOP="" xdg-open 'http://127.0.0.1/$(xterm)'
If a browser is opened instead of xterm, then you're safe.

[2] You can check this by running
DE="generic" XDG_CURRENT_DESKTOP="" xdg-mime query default x-scheme-handler/http
If only one desktop file is returned in stdout, then you're safe.

Comment 7 Swamp Workflow Management 2015-02-02 11:05:20 UTC

openSUSE-SU-2015:0191-1: An update that solves one vulnerability and has one errata is now available.

Category: security (moderate)
Bug References: 906625,913676
CVE References: CVE-2014-9622
Sources used:
openSUSE 13.2 (src):    xdg-utils-20140922-12.1

Comment 8 Swamp Workflow Management 2015-02-12 14:05:42 UTC

SUSE-SU-2015:0271-1: An update that solves one vulnerability and has one errata is now available.

Category: security (moderate)
Bug References: 906625,913676
CVE References: CVE-2014-9622
Sources used:
SUSE Linux Enterprise Server 12 (src):    xdg-utils-20140630-5.1
SUSE Linux Enterprise Desktop 12 (src):    xdg-utils-20140630-5.1

Comment 9 Marcus Meissner 2015-03-27 14:44:45 UTC

seems resoved