ALT Linux Team

Package xdg-utils update in sisyphus on 2018-07-01

ALT-PU-2018-1958-1

Package xdg-utils updated to version 1.1.3-alt1 for branch sisyphus in task 209318.

Closed vulnerabilities

Published: 2018-05-10

BDU:2020-01814

Уязвимость функции open_envvar инструмента для настройки использования пользовательских приложений по умолчанию xdg-open, позволяющая нарушителю получить несанкционированный доступ к информации и нарушить ее целостность и доступность

Severity: HIGH (8.8) Vector: AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Severity: CRITICAL (9.3) Vector: AV:N/AC:M/Au:N/C:C/I:C/A:C
References:
Published: 2018-05-10
Modified: 2024-11-21

CVE-2017-18266

The open_envvar function in xdg-open in xdg-utils before 1.1.3 does not validate strings before launching the program specified by the BROWSER environment variable, which might allow remote attackers to conduct argument-injection attacks via a crafted URL, as demonstrated by %s in this environment variable.

Severity: MEDIUM (6.8) Vector: AV:N/AC:M/Au:N/C:P/I:P/A:P
Severity: HIGH (8.8) Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
References:
VKontakte | Telegram | YouTube | Forum | GitHub | Bugzilla
Version: 2.1.2
Back to top