Bug 1179091 – VUL-0: CVE-2020-27748: xdg-utils: local file inclusion vulnerability

Bug 1179091 - (CVE-2020-27748) VUL-0: CVE-2020-27748: xdg-utils: local file inclusion vulnerability

(CVE-2020-27748)
Summary:	VUL-0: CVE-2020-27748: xdg-utils: local file inclusion vulnerability

Status:	NEW

Classification:	Novell Products
Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents
Version:	unspecified
Hardware:	Other Other

Priority:	P3 - Medium Severity: Normal
Target Milestone:	---
Assigned To:	Simon Lees
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/272114/
Whiteboard:	CVSSv3.1:SUSE:CVE-2020-27748:5.5:(AV:...
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Create test case

Clone This Bug

Reported:	2020-11-23 10:07 UTC by Alexandros Toptsoglou
Modified:	2022-11-01 08:05 UTC (History)
CC List:	4 users (show)

See Also:
Found By:	Security Response Team
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Alexandros Toptsoglou 2020-11-23 10:07:46 UTC

CVE-2020-27748

A flaw was found in the xdg-email component of xdg-utils-1.1.0-rc1 and newer. When handling mailto: URIs, xdg-email allows attachments to be discreetly added via the URI when being passed to Thunderbird. An attacker could potentially send a victim a URI that automatically attaches a sensitive file to a new email. If a victim user does not notice that an attachment was added and sends the email, this could result in sensitive information disclosure. It has been confirmed that the code behind this issue is in xdg-email and not in Thunderbird.

Reference: https://bugzilla.mozilla.org/show_bug.cgi?id=1613425
Upstream commit: https://gitlab.freedesktop.org/Mic92/xdg-utils/-/commit/1f199813e0eb0246f63b54e9e154970e609575af

References:
https://bugzilla.redhat.com/show_bug.cgi?id=1899769
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-27748

Comment 1 Alexandros Toptsoglou 2020-11-23 10:08:57 UTC

Tracked as affected SLE12,SLE15 and SLE15-SP2

Comment 2 Simon Lees 2021-11-15 11:20:32 UTC

Upstream hasn't merged the fix yet, some clients such as evolution have implemented a warning dialog for such cases, notably Thunderbird hasn't though, for clients that support adding an attachments via the command line this is likely a better solution.

I believe Debian uses the feature in some cases for collecting bug reports etc so before implementing this fix by removing the feature in xdg-utils we should tripple check that it won't break anything.

Comment 3 Thomas Leroy 2022-08-25 09:16:55 UTC

(In reply to Simon Lees from comment #2)
> Upstream hasn't merged the fix yet, some clients such as evolution have
> implemented a warning dialog for such cases, notably Thunderbird hasn't
> though, for clients that support adding an attachments via the command line
> this is likely a better solution.
> 
> I believe Debian uses the feature in some cases for collecting bug reports
> etc so before implementing this fix by removing the feature in xdg-utils we
> should tripple check that it won't break anything.

Simon, what is the status of this bug upstream? I can see that the upstream PR is closed, so I guess no fix it planned to be developed

Comment 4 Simon Lees 2022-08-25 10:54:22 UTC

It seems the original patch that removed functionality was rejected https://gitlab.freedesktop.org/xdg/xdg-utils/-/merge_requests/28 and the original upstream issue is still open https://gitlab.freedesktop.org/xdg/xdg-utils/-/issues/177

Comment 5 Thomas Leroy 2022-09-26 12:28:09 UTC

New PR craeted, still open:
https://gitlab.freedesktop.org/xdg/xdg-utils/-/merge_requests/58