Debian Bug report logs - #437454
CVE-2007-3770: execute arbitrary commands via crafted links using "Open Link" functionality

version graph

Package: xfce4-terminal; Maintainer for xfce4-terminal is Debian Xfce Maintainers <pkg-xfce-devel@lists.alioth.debian.org>; Source for xfce4-terminal is src:xfce4-terminal.

Reported by: Darren Salt <linux@youmustbejoking.demon.co.uk>

Date: Sun, 12 Aug 2007 16:36:04 UTC

Severity: grave

Tags: patch, security

Found in version xfce4-terminal/0.2.5.6rc1-2

Fixed in versions xfce4-terminal/0.2.6-3, xfce4-terminal/0.2.5.6rc1-2etch1

Done: Yves-Alexis Perez <corsac@corsac.net>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, team@security.debian.org, Debian Xfce Maintainers <pkg-xfce-devel@lists.alioth.debian.org>:
Bug#437454; Package xfce4-terminal. Full text and rfc822 format available.

Acknowledgement sent to Darren Salt <linux@youmustbejoking.demon.co.uk>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, Debian Xfce Maintainers <pkg-xfce-devel@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Darren Salt <linux@youmustbejoking.demon.co.uk>
To: submit@bugs.debian.org
Subject: CVE-2007-3770: execute arbitrary commands via crafted links using "Open Link" functionality
Date: Sun, 12 Aug 2007 16:58:37 +0100
[Message part 1 (text/plain, inline)]
Package: xfce4-terminal
Version: 0.2.5.6rc1-2
Severity: grave
Tags: security, patch

CVE-2007-3770 says:
  The terminal_helper_execute function in terminal/terminal.c in Xfce
  Terminal 0.2.6 allows user-assisted remote attackers to execute arbitrary
  commands via shell metacharacters in a crafted link, as demonstrated using
  the "Open Link" functionality.

Upstream link: http://bugzilla.xfce.org/show_bug.cgi?id=3383

The attached patch fixes this: the code changes add shell quoting, using
g_shell_quote(), and the *.desktop.in files are modified to avoid
over-quoting (without this, we'd get "'foo'" instead of 'foo').

-- 
| Darren Salt    | linux or ds at              | nr. Ashington, | Toon
| RISC OS, Linux | youmustbejoking,demon,co,uk | Northumberland | Army
| + Use more efficient products. Use less.          BE MORE ENERGY EFFICIENT.

Confucius say: He who post large binary, get flamed.

[01_CVE-2007-3770.patch (application/octet-stream, attachment)]

Reply sent to Yves-Alexis Perez <corsac@corsac.net>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Darren Salt <linux@youmustbejoking.demon.co.uk>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #10 received at 437454-close@bugs.debian.org (full text, mbox):

From: Yves-Alexis Perez <corsac@corsac.net>
To: 437454-close@bugs.debian.org
Subject: Bug#437454: fixed in xfce4-terminal 0.2.6-3
Date: Sun, 12 Aug 2007 17:47:15 +0000
Source: xfce4-terminal
Source-Version: 0.2.6-3

We believe that the bug you reported is fixed in the latest version of
xfce4-terminal, which is due to be installed in the Debian FTP archive:

xfce4-terminal_0.2.6-3.diff.gz
  to pool/main/x/xfce4-terminal/xfce4-terminal_0.2.6-3.diff.gz
xfce4-terminal_0.2.6-3.dsc
  to pool/main/x/xfce4-terminal/xfce4-terminal_0.2.6-3.dsc
xfce4-terminal_0.2.6-3_amd64.deb
  to pool/main/x/xfce4-terminal/xfce4-terminal_0.2.6-3_amd64.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 437454@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Yves-Alexis Perez <corsac@corsac.net> (supplier of updated xfce4-terminal package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Sun, 12 Aug 2007 18:00:09 +0100
Source: xfce4-terminal
Binary: xfce4-terminal
Architecture: source amd64
Version: 0.2.6-3
Distribution: unstable
Urgency: high
Maintainer: Debian Xfce Maintainers <pkg-xfce-devel@lists.alioth.debian.org>
Changed-By: Yves-Alexis Perez <corsac@corsac.net>
Description: 
 xfce4-terminal - Xfce terminal emulator
Closes: 437454
Changes: 
 xfce4-terminal (0.2.6-3) unstable; urgency=high
 .
   (Yves-Alexis Perez)
   * debian/menu: switch to new menu policy.
   (Simon Huggins)
   * Fix security problem in URL handling code (CVE-2007-3770) thanks to Darren
     Salt                                                        closes: #437454
   * urgency high for the above.
Files: 
 d8960cd5fd13c5af5debbf92f0bd2af6 941 x11 optional xfce4-terminal_0.2.6-3.dsc
 273f5f7976d025dc3f6789894c5a2bbe 14496 x11 optional xfce4-terminal_0.2.6-3.diff.gz
 e4a1af5d70c5540d885e5f2cfebffb91 1266598 x11 optional xfce4-terminal_0.2.6-3_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFGv0OyMQdl+99c4rQRAn+aAJ9eao9E1SozSoc2NA1Sg+VIm3Y8JQCdGyZ0
HNcqrQMEYBoIbG20kQftPWU=
=GZei
-----END PGP SIGNATURE-----




Information forwarded to debian-bugs-dist@lists.debian.org, Debian Xfce Maintainers <pkg-xfce-devel@lists.alioth.debian.org>:
Bug#437454; Package xfce4-terminal. Full text and rfc822 format available.

Acknowledgement sent to Tino Keitel <tino.keitel@tikei.de>:
Extra info received and forwarded to list. Copy sent to Debian Xfce Maintainers <pkg-xfce-devel@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #15 received at 437454@bugs.debian.org (full text, mbox):

From: Tino Keitel <tino.keitel@tikei.de>
To: 437454@bugs.debian.org
Subject: fix for Etch still missing
Date: Fri, 24 Aug 2007 17:19:08 +0200
Hi,

what is the status of this bug regarding Etch? The Etch version is
affected, too, and the fix should also apply to the Etch version.

Regards,
Tino



Information forwarded to debian-bugs-dist@lists.debian.org, Debian Xfce Maintainers <pkg-xfce-devel@lists.alioth.debian.org>:
Bug#437454; Package xfce4-terminal. Full text and rfc822 format available.

Acknowledgement sent to 437454@bugs.debian.org:
Extra info received and forwarded to list. Copy sent to Debian Xfce Maintainers <pkg-xfce-devel@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #20 received at 437454@bugs.debian.org (full text, mbox):

From: Simon Huggins <huggie@earth.li>
To: Tino Keitel <tino.keitel@tikei.de>, 437454@bugs.debian.org
Subject: Re: [Pkg-xfce-devel] Bug#437454: fix for Etch still missing
Date: Fri, 24 Aug 2007 17:11:04 +0100
[Message part 1 (text/plain, inline)]
On Fri, Aug 24, 2007 at 05:19:08PM +0200, Tino Keitel wrote:
> what is the status of this bug regarding Etch? The Etch version is
> affected, too, and the fix should also apply to the Etch version.

I have untested packages for stable at:
http://the.earth.li/~huggie/xfce4-terminal-fix/

If you have an amd64 box you can just install the deb.  Otherwise if you
rebuild it from that .dsc/.diff.gz/.orig.tar.gz on your machine and can
let me know that you can reproduce the bug on the old one but not the
new that would be useful.

I need to test it myself tonight.

-- 
 _        huggie@earth.li      -+*+-     fou, con et anglais      _
(_)   "No, the radio works.  You don't" - Basil, Fawlty Towers   (_)
(_)                                                              (_)
  \___                                                        ___/
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Xfce Maintainers <pkg-xfce-devel@lists.alioth.debian.org>:
Bug#437454; Package xfce4-terminal. Full text and rfc822 format available.

Acknowledgement sent to Tino Keitel <tino.keitel@tikei.de>:
Extra info received and forwarded to list. Copy sent to Debian Xfce Maintainers <pkg-xfce-devel@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #25 received at 437454@bugs.debian.org (full text, mbox):

From: Tino Keitel <tino.keitel@tikei.de>
To: 437454@bugs.debian.org
Subject: Re: [Pkg-xfce-devel] Bug#437454: fix for Etch still missing
Date: Fri, 24 Aug 2007 20:10:38 +0200
On Fri, Aug 24, 2007 at 17:11:04 +0100, Simon Huggins wrote:
> On Fri, Aug 24, 2007 at 05:19:08PM +0200, Tino Keitel wrote:
> > what is the status of this bug regarding Etch? The Etch version is
> > affected, too, and the fix should also apply to the Etch version.
> 
> I have untested packages for stable at:
> http://the.earth.li/~huggie/xfce4-terminal-fix/
> 
> If you have an amd64 box you can just install the deb.  Otherwise if you
> rebuild it from that .dsc/.diff.gz/.orig.tar.gz on your machine and can
> let me know that you can reproduce the bug on the old one but not the
> new that would be useful.
> 
> I need to test it myself tonight.

I can build it myself if I need them, but I don't use xfce4-terminal
from Etch. I just wondered why a security related bug that is fixed for
nearly 2 weeks in Sid is still not fixed in Etch.

Regards,
Tino



Information forwarded to debian-bugs-dist@lists.debian.org, Debian Xfce Maintainers <pkg-xfce-devel@lists.alioth.debian.org>:
Bug#437454; Package xfce4-terminal. Full text and rfc822 format available.

Acknowledgement sent to 437454@bugs.debian.org:
Extra info received and forwarded to list. Copy sent to Debian Xfce Maintainers <pkg-xfce-devel@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #30 received at 437454@bugs.debian.org (full text, mbox):

From: Simon Huggins <huggie@earth.li>
To: Tino Keitel <tino.keitel@tikei.de>, 437454@bugs.debian.org
Cc: team@security.debian.org
Subject: Re: [Pkg-xfce-devel] Bug#437454: Bug#437454: fix for Etch still missing
Date: Fri, 24 Aug 2007 19:28:28 +0100
On Fri, Aug 24, 2007 at 08:10:38PM +0200, Tino Keitel wrote:
> On Fri, Aug 24, 2007 at 17:11:04 +0100, Simon Huggins wrote:
> > On Fri, Aug 24, 2007 at 05:19:08PM +0200, Tino Keitel wrote:
> > > what is the status of this bug regarding Etch? The Etch version is
> > > affected, too, and the fix should also apply to the Etch version.
> > I have untested packages for stable at:
> > http://the.earth.li/~huggie/xfce4-terminal-fix/
> > If you have an amd64 box you can just install the deb.  Otherwise if you
> > rebuild it from that .dsc/.diff.gz/.orig.tar.gz on your machine and can
> > let me know that you can reproduce the bug on the old one but not the
> > new that would be useful.
> > I need to test it myself tonight.
> I can build it myself if I need them, but I don't use xfce4-terminal
> from Etch. I just wondered why a security related bug that is fixed for
> nearly 2 weeks in Sid is still not fixed in Etch.

Because no one has picked this up and looked into it I guess.

I've tested the packages above in a stable chroot now.

Debdiff is:
	Depends: libatk1.0-0 (>= 1.12.2), libc6 (>= 2.3.5-1),
	[-libdbus-1-3,-] {+libdbus-1-3 (>= 0.94),+}

	libdbus-1-3 is 1.0.2-1 in stable.

	libdbus-glib-1-2 (>= 0.71),
	libexo-0.3-0 (>= [-0.3.1.10rc1-1),-] {+0.3.1.12rc2-1),+}

	0.3.1.12rc2-1 is current in stable.

	libglib2.0-0 (>= 2.12.0), libgtk2.0-0 (>= 2.8.0),
	libstartup-notification0 (>= 0.8-1), libvte4 (>= 1:0.12.1),
	libx11-6, libxfce4util4 (>= [-4.3.99.1)-] {+4.3.99.2)+}

	4.3.99.2 is in stable.

	Version: [-0.2.5.6rc1-2-] {+0.2.5.6rc1-2etch1+}


Security team, the packages above from
http://the.earth.li/~huggie/xfce4-terminal-fix/
are confirmed working and hopefully have the right distribution
(stable-security) and priority (high).

Can I upload them somewhere?

-- 
 _        huggie@earth.li      -+*+-     fou, con et anglais      _
(_)  <benj[w0rK]> naoko: ca marche parfaitement ... quand on a   (_)
(_)                  une carte QUI FONCTIONNE !                  (_)
  \___            <benj[w0rK]> alors camembert :)             ___/



Information forwarded to debian-bugs-dist@lists.debian.org, Debian Xfce Maintainers <pkg-xfce-devel@lists.alioth.debian.org>:
Bug#437454; Package xfce4-terminal. Full text and rfc822 format available.

Acknowledgement sent to Simon Huggins <huggie@earth.li>:
Extra info received and forwarded to list. Copy sent to Debian Xfce Maintainers <pkg-xfce-devel@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #35 received at 437454@bugs.debian.org (full text, mbox):

From: Simon Huggins <huggie@earth.li>
To: 437454@bugs.debian.org, team@security.debian.org
Subject: Re: [Pkg-xfce-devel] Bug#437454: Bug#437454: Bug#437454: fix for Etch still missing
Date: Wed, 10 Oct 2007 07:48:09 +0100
Security team, any news?

On Fri, Aug 24, 2007 at 07:28:28PM +0100, Simon Huggins wrote:
> On Fri, Aug 24, 2007 at 08:10:38PM +0200, Tino Keitel wrote:
> > On Fri, Aug 24, 2007 at 17:11:04 +0100, Simon Huggins wrote:
> > > On Fri, Aug 24, 2007 at 05:19:08PM +0200, Tino Keitel wrote:
> > > > what is the status of this bug regarding Etch? The Etch version is
> > > > affected, too, and the fix should also apply to the Etch version.
> > > I have untested packages for stable at:
> > > http://the.earth.li/~huggie/xfce4-terminal-fix/
> > > If you have an amd64 box you can just install the deb.  Otherwise if you
> > > rebuild it from that .dsc/.diff.gz/.orig.tar.gz on your machine and can
> > > let me know that you can reproduce the bug on the old one but not the
> > > new that would be useful.
> > > I need to test it myself tonight.
> > I can build it myself if I need them, but I don't use xfce4-terminal
> > from Etch. I just wondered why a security related bug that is fixed for
> > nearly 2 weeks in Sid is still not fixed in Etch.
> Because no one has picked this up and looked into it I guess.

> I've tested the packages above in a stable chroot now.

> Debdiff is:
> 	Depends: libatk1.0-0 (>= 1.12.2), libc6 (>= 2.3.5-1),
> 	[-libdbus-1-3,-] {+libdbus-1-3 (>= 0.94),+}

> 	libdbus-1-3 is 1.0.2-1 in stable.

> 	libdbus-glib-1-2 (>= 0.71),
> 	libexo-0.3-0 (>= [-0.3.1.10rc1-1),-] {+0.3.1.12rc2-1),+}

> 	0.3.1.12rc2-1 is current in stable.

> 	libglib2.0-0 (>= 2.12.0), libgtk2.0-0 (>= 2.8.0),
> 	libstartup-notification0 (>= 0.8-1), libvte4 (>= 1:0.12.1),
> 	libx11-6, libxfce4util4 (>= [-4.3.99.1)-] {+4.3.99.2)+}

> 	4.3.99.2 is in stable.

> 	Version: [-0.2.5.6rc1-2-] {+0.2.5.6rc1-2etch1+}

> Security team, the packages above from
> http://the.earth.li/~huggie/xfce4-terminal-fix/
> are confirmed working and hopefully have the right distribution
> (stable-security) and priority (high).

> Can I upload them somewhere?


Simon.

-- 
[ If at first you don't succeed, destroy all evidence that you tried.  ]




Bug marked as fixed in version 0.2.5.6rc1-2etch1. Request was from zobel@ftbfs.de (Martin Zobel-Helas) to control@bugs.debian.org. (Thu, 24 Jan 2008 15:42:03 GMT) Full text and rfc822 format available.

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Fri, 22 Feb 2008 07:33:58 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sat Apr 19 07:55:38 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.