Bug 1093086 - (CVE-2017-18266) VUL-0: CVE-2017-18266: xdg-utils: The open_envvar function in xdg-open does not validate strings before launching the program specified by the BROWSER environment variable
(CVE-2017-18266)
VUL-0: CVE-2017-18266: xdg-utils: The open_envvar function in xdg-open does n...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Major
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/205625/
CVSSv3:SUSE:CVE-2017-18266:5.3:(AV:L/...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2018-05-14 09:04 UTC by Karol Babioch
Modified: 2021-11-16 12:45 UTC (History)
2 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Karol Babioch 2018-05-14 09:04:35 UTC
CVE-2017-18266

The open_envvar function in xdg-open in xdg-utils before 1.1.3 does not validate
strings before launching the program specified by the BROWSER environment
variable, which might allow remote attackers to conduct argument-injection
attacks via a crafted URL, as demonstrated by %s in this environment variable.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-18266
http://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-18266.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18266
https://cgit.freedesktop.org/xdg/xdg-utils/tree/ChangeLog
https://cgit.freedesktop.org/xdg/xdg-utils/commit/?id=5647afb35e4bcba2060148e1a2a47bc43cc240f2
https://bugs.freedesktop.org/show_bug.cgi?id=103807
https://cgit.freedesktop.org/xdg/xdg-utils/commit/?id=ce802d71c3466d1dbb24f2fe9b6db82a1f899bcb
Comment 1 Karol Babioch 2018-05-14 09:05:19 UTC
Upstream bug: https://bugs.freedesktop.org/show_bug.cgi?id=103807

The proposed fix is not complete, since something like the following still works:

BROWSER="firefox %s" xdg-open "https://google.com$(touch /tmp/test)"
Comment 2 Karol Babioch 2018-05-16 09:31:06 UTC
Nevermind, I misunderstood the issue here and my previous comment is invalid (see upstream bug).
Comment 4 Swamp Workflow Management 2018-06-04 19:07:17 UTC
SUSE-SU-2018:1497-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1093086
CVE References: CVE-2017-18266
Sources used:
SUSE Linux Enterprise Server 12-SP3 (src):    xdg-utils-20140630-6.3.1
SUSE Linux Enterprise Desktop 12-SP3 (src):    xdg-utils-20140630-6.3.1
Comment 5 Swamp Workflow Management 2018-06-05 15:11:53 UTC
This is an autogenerated message for OBS integration:
This bug (1093086) was mentioned in
https://build.opensuse.org/request/show/614321 15.0 / xdg-utils
Comment 6 Andreas Stieger 2018-06-07 18:53:47 UTC
release for Leap 15.0, done
Comment 7 Swamp Workflow Management 2018-06-07 22:13:14 UTC
openSUSE-SU-2018:1596-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 1093086
CVE References: CVE-2017-18266
Sources used:
openSUSE Leap 15.0 (src):    xdg-utils-20170508-lp150.3.3.2