Advisories » MGASA-2018-0289

Updated xdg-utils package fixes security vulnerability

Publication date: 19 Jun 2018
Modification date: 19 Jun 2018
Type: security
Affected Mageia releases : 6
CVE: CVE-2017-18266

Description

Updated xdg-utils package fixes security vulnerability:

The open_envvar function in xdg-open in xdg-utils before 1.1.3 does not validate
strings before launching the program specified by the BROWSER environment
variable, which might allow remote attackers to conduct argument-injection
attacks via a crafted URL, as demonstrated by %s in this environment variable
(CVE-2017-18266).
                

References

• https://bugs.mageia.org/show_bug.cgi?id=23132
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/ZECHRCR6RWTX46ANDPIAXPMHZ2EOHNJB/
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18266

SRPMS

6/core

• xdg-utils-1.1.3-1.mga6