Bug 1113079 (CVE-2018-18398)

Summary: VUL-1: CVE-2018-18398: Thunar: mishandling the IBus-Unikey input method for file searches within File Manager
Product: [openSUSE] openSUSE Distribution Reporter: Robert Frohl <rfrohl>
Component: XfceAssignee: E-mail List <bnc-team-xfce>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Minor    
Priority: P4 - Low CC: gber, seife, tiwai, vinz
Version: Leap 42.3   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/217797/
Whiteboard:
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Robert Frohl 2018-10-24 11:15:12 UTC 
CVE-2018-18398

Xfce Thunar 1.6.15, when Xfce 4.12 is used, mishandles the IBus-Unikey input
method for file searches within File Manager, leading to an out-of-bounds read
and SEGV. This could potentially be exploited by an arbitrary local user who
creates files in /tmp before the victim uses this input method.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-18398
http://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-18398.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-18398
https://0xd0ff9.wordpress.com/2018/10/18/cve-2018-18398/
Comment 1 Robert Frohl 2018-10-24 11:16:05 UTC 
Couldn't find a patch, so I am unsure if opensuse is affected.
Comment 2 Vinzenz Vietzke 2019-03-21 22:58:05 UTC 
In Leap 42.3 Thunar is v1.6.10, in Leap 15 it's 1.6.14, TW has 1.8.4. So none of the officially supported Distribution version matches the reportedly problematic version of Thunar.
Furthermore Leap 42.3 is expectedly EOL in June 2019. So I guess this problem is obsolete?
Comment 3 Vinzenz Vietzke 2019-04-11 21:37:49 UTC 
No reply since 2019-03-21. As none of the officially supported Distribution version matches the reportedly problematic version of Thunar I'll close this bug.