Bug 1113079 - (CVE-2018-18398) VUL-1: CVE-2018-18398: Thunar: mishandling the IBus-Unikey input method for file searches within File Manager
(CVE-2018-18398)
VUL-1: CVE-2018-18398: Thunar: mishandling the IBus-Unikey input method for f...
Status: RESOLVED FIXED
Classification: openSUSE
Product: openSUSE Distribution
Classification: openSUSE
Component: Xfce
Leap 42.3
Other Other
: P4 - Low : Minor (vote)
: ---
Assigned To: E-mail List
Security Team bot
https://smash.suse.de/issue/217797/
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2018-10-24 11:15 UTC by Robert Frohl
Modified: 2019-04-11 21:37 UTC (History)
4 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Robert Frohl 2018-10-24 11:15:12 UTC
CVE-2018-18398

Xfce Thunar 1.6.15, when Xfce 4.12 is used, mishandles the IBus-Unikey input
method for file searches within File Manager, leading to an out-of-bounds read
and SEGV. This could potentially be exploited by an arbitrary local user who
creates files in /tmp before the victim uses this input method.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-18398
http://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-18398.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-18398
https://0xd0ff9.wordpress.com/2018/10/18/cve-2018-18398/
Comment 1 Robert Frohl 2018-10-24 11:16:05 UTC
Couldn't find a patch, so I am unsure if opensuse is affected.
Comment 2 Vinzenz Vietzke 2019-03-21 22:58:05 UTC
In Leap 42.3 Thunar is v1.6.10, in Leap 15 it's 1.6.14, TW has 1.8.4. So none of the officially supported Distribution version matches the reportedly problematic version of Thunar.
Furthermore Leap 42.3 is expectedly EOL in June 2019. So I guess this problem is obsolete?
Comment 3 Vinzenz Vietzke 2019-04-11 21:37:49 UTC
No reply since 2019-03-21. As none of the officially supported Distribution version matches the reportedly problematic version of Thunar I'll close this bug.