Bugzilla – Bug 918836
VUL-1: CVE-2015-1877: xdg-utils: Command injection vulnerability due to local variables collision in xdg-open
Last modified: 2016-04-27 20:18:54 UTC
Created attachment 624007 [details] Reproducer From: Jiri Horner <laeqten@gmail.com> there is a long-standing issue with xdg-open on debian -- it parses all files it is trying to open. This is easily exploitable. Requirements are similar as in last RCE: Window Manager which is _NOT_ one of the following: * KDE * GNOME * MATE * XFCE * ENLIGHTENMENT Problem is caused by name collision in local variables, which are apparently not very local in this case (maybe also dash problem?) ======== This doesn't affect us since it only occurs with dash. We will include this in the next update (VUL-1) as a precaution. References: https://bugs.debian.org/cgi-bin/bugreport.cgi?msg=5%3BfileNAME=xdg-OPEN.diff%3Batt=1;bug=777722#05652384962902024364 https://bugzilla.redhat.com/show_bug.cgi?id=1194205 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1877 http://people.canonical.com/~ubuntu-security/cve/2015/CVE-2015-1877.html http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1877
bugbot adjusting priority
It seems SLE12 is not affected even if it used dash (which it doesn't by default). The debian patch just changed the name of a local variable to a loop that clashed with a global variable. In our xdg-open version, we already use a different name that doesn't clash. Anyway, I'll empirically test it installing dash and check SLE11 too. openSUSE 13.2 is not affected neither for the same reasons.
As expected, I couldn't reproduce the problem. So we are definitely not affected by this exploit in SLE12 nor openSUSE 13.2 . SLE11 (SP3) is using a really different version of xdg-open that doesn't have this problem neither.
nothing left to do, thanks for you work