[bluewhite64-security] xdg-utils (BW64SA:20090203-01)
Hash: SHA1
[bluewhite64-security] xdg-utils (BW64SA:20090203-01)
New xdg-utils packages are available for Bluewhite64 12.2 and -current to
fix security issues. Applications that use /etc/mailcap could be tricked
into running an arbitrary script through xdg-open, and a separate flaw in
xdg-open could allow the execution of arbitrary commands embedded in untrusted
input provided to xdg-open.
More details about the issues may be found in the Common
Vulnerabilities and Exposures (CVE) database:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0068
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0386
Here are the details from the Bluewhite64 12.2 ChangeLog:
+--------------------------+
PATCHES/packages/xdg-utils-1.0.2-noarch-3.tgz: This update fixes two security issues.
First, use of xdg-open in /etc/mailcap was found to be unsafe -- xdg-open
passes along downloaded files without indicating what mime type they initially
presented themselves as, leaving programs further down the processing chain
to discover the file type again. This makes it rather trivial to present a
script (such as a .desktop file) as a document type (like a PDF) so that it
looks safe to click on in a browser, but will result in the execution of an
arbitrary script. It might be safe to send files to trusted applications in
/etc/mailcap, but it does not seem to be safe to send files to xdg-open in
/etc/mailcap. This package will comment out calls to xdg-open in /etc/mailcap
if they are determined to have been added by a previous version of this package.
If you've made any local customizations to /etc/mailcap, be sure to check
that there are no uncommented calls to xdg-open after installing this update.
For more information, see:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0068
Another bug in xdg-open fails to sanitize input properly allowing the
execution of arbitrary commands. This was fixed in the xdg-utils repository
quite some time ago (prior to the inclusion of xdg-utils in Bluewhite64), but
was never fixed in the official release of xdg-utils. The sources for
xdg-utils in Bluewhite64 have now been updated from the repo to fix the problem.
For more information, see:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0386
[*** Security fix ***]
+--------------------------+
Where to find the new packages:
+-----------------------------+
See the "Get Bluewhite64" section on http://www.bluewhite64.com for additional
mirror sites near you.
Updated package for Bluewhite64 12.2:
http://data.bluewhite64.com/bluewhite64-12.2/patches/packages/xdg-utils-1.0.2-noarch-3.tgz
Updated package for Bluewhite64 -current:
http://data.bluewhite64.com/bluewhite64-current/bluewhite64/x/xdg-utils-1.0.2-noarch-3.tgz
MD5 signatures:
+-------------+
Bluewhite64 12.2 package:
50c86ec3b49cb4fbc738ec883b537c80 xdg-utils-1.0.2-noarch-3.tgz
Bluewhite64 -current package:
50c86ec3b49cb4fbc738ec883b537c80 xdg-utils-1.0.2-noarch-3.tgz
Installation instructions:
+------------------------+
Upgrade the package as root:
# upgradepkg xdg-utils-1.0.2-noarch-3.tgz
+-----+
Bluewhite64 Linux Security Team
http://bluewhite64.com/gpg-key
security©bluewhite64.com
+-------------------------------------------------------+
| To leave the bluewhite64-security mailing list:
+-------------------------------------------------------+
| Send a blank email to
|
| bluewhite64-security-unsubscribe©bluewhite64.com
|
| You will get a confirmation message back containing
| instructions to complete the process.
|
| Please do not reply to this email address.
+-------------------------------------------------------+
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iEYEARECAAYFAkmIsC4ACgkQpTOsxuDdlY79rgCfWnrZxZhHtZ8QVNGCy7e8QEBu
69IAn2trCeD6qjZ4065Og6tf6hY1XmHZ
=KTZ6
-----END PGP SIGNATURE-----