Bug 1218299 (CVE-2023-44452)

Summary: VUL-0: CVE-2023-44452: xreader: command injection during CBT file parsing
Product: [openSUSE] openSUSE Distribution Reporter: SMASH SMASH <smash_bz>
Component: SecurityAssignee: andy great <andythe_great>
Status: NEW --- QA Contact: Security Team bot <security-team>
Severity: Major    
Priority: P3 - Medium CC: carlos.lopez
Version: Leap 15.6   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/388935/
Whiteboard:
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description SMASH SMASH 2023-12-21 08:49:29 UTC 
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Linux Mint Xreader. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.

The specific flaw exists within the parsing of CBT files. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of the current user.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-44452
https://www.zerodayinitiative.com/advisories/ZDI-23-1836/
Comment 1 OBSbugzilla Bot 2024-01-28 11:35:04 UTC 
This is an autogenerated message for OBS integration:
This bug (1218299) was mentioned in
https://build.opensuse.org/request/show/1142074 Factory / xreader