Bug 1093086 – VUL-0: CVE-2017-18266: xdg-utils: The open_envvar function in xdg-open does not validate strings before launching the program specified by the BROWSER environment variable

Bug 1093086 - (CVE-2017-18266) VUL-0: CVE-2017-18266: xdg-utils: The open_envvar function in xdg-open does not validate strings before launching the program specified by the BROWSER environment variable

(CVE-2017-18266)
Summary:	VUL-0: CVE-2017-18266: xdg-utils: The open_envvar function in xdg-open does n...

Status:	RESOLVED FIXED

Classification:	Novell Products
Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents
Version:	unspecified
Hardware:	Other Other

Priority:	P3 - Medium Severity: Major
Target Milestone:	---
Assigned To:	Security Team bot
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/205625/
Whiteboard:	CVSSv3:SUSE:CVE-2017-18266:5.3:(AV:L/...
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Create test case

Clone This Bug

Reported:	2018-05-14 09:04 UTC by Karol Babioch
Modified:	2021-11-16 12:45 UTC (History)
CC List:	2 users (show)

See Also:
Found By:	Security Response Team
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Karol Babioch 2018-05-14 09:04:35 UTC

CVE-2017-18266

The open_envvar function in xdg-open in xdg-utils before 1.1.3 does not validate
strings before launching the program specified by the BROWSER environment
variable, which might allow remote attackers to conduct argument-injection
attacks via a crafted URL, as demonstrated by %s in this environment variable.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-18266
http://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-18266.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18266
https://cgit.freedesktop.org/xdg/xdg-utils/tree/ChangeLog
https://cgit.freedesktop.org/xdg/xdg-utils/commit/?id=5647afb35e4bcba2060148e1a2a47bc43cc240f2
https://bugs.freedesktop.org/show_bug.cgi?id=103807
https://cgit.freedesktop.org/xdg/xdg-utils/commit/?id=ce802d71c3466d1dbb24f2fe9b6db82a1f899bcb

Comment 1 Karol Babioch 2018-05-14 09:05:19 UTC

Upstream bug: https://bugs.freedesktop.org/show_bug.cgi?id=103807

The proposed fix is not complete, since something like the following still works:

BROWSER="firefox %s" xdg-open "https://google.com$(touch /tmp/test)"

Comment 2 Karol Babioch 2018-05-16 09:31:06 UTC

Nevermind, I misunderstood the issue here and my previous comment is invalid (see upstream bug).

Comment 4 Swamp Workflow Management 2018-06-04 19:07:17 UTC

SUSE-SU-2018:1497-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1093086
CVE References: CVE-2017-18266
Sources used:
SUSE Linux Enterprise Server 12-SP3 (src):    xdg-utils-20140630-6.3.1
SUSE Linux Enterprise Desktop 12-SP3 (src):    xdg-utils-20140630-6.3.1

Comment 5 Swamp Workflow Management 2018-06-05 15:11:53 UTC

This is an autogenerated message for OBS integration:
This bug (1093086) was mentioned in
https://build.opensuse.org/request/show/614321 15.0 / xdg-utils

Comment 6 Andreas Stieger 2018-06-07 18:53:47 UTC

release for Leap 15.0, done

Comment 7 Swamp Workflow Management 2018-06-07 22:13:14 UTC

openSUSE-SU-2018:1596-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 1093086
CVE References: CVE-2017-18266
Sources used:
openSUSE Leap 15.0 (src):    xdg-utils-20170508-lp150.3.3.2