Ubuntu
xfce4-terminal package

SECURITY: URL handling allows remote shell command execution

Bug #132046 reported by Lionel Le Folgoc
256
Affects Status Importance Assigned to Milestone
xfce4-terminal
Fix Released
Unknown
xfce4-terminal (Debian)
Fix Released
Unknown
xfce4-terminal (Gentoo Linux)
Fix Released
Medium
xfce4-terminal (Ubuntu)
Fix Released
Medium
Unassigned
Dapper
Fix Released
Medium
Kees Cook
Edgy
Fix Released
Medium
Kees Cook
Feisty
Fix Released
Medium
Kees Cook

Bug Description

Binary package hint: xfce4-terminal

The terminal_helper_execute function in terminal/terminal.c in Xfce Terminal 0.2.6 allows user-assisted remote attackers to execute arbitrary commands via shell metacharacters in a crafted link, as demonstrated using the "Open Link" functionality.

Affected: dapper, edgy, feisty, gutsy (dapper and edgy ships xfce4-terminal 0.2.5 which is a svn snapshot of the 0.2.6).

Patches will be attached as soon as they are tested.

CVE References

Revision history for this message
Lionel Le Folgoc (mrpouit) wrote :
Revision history for this message
Lionel Le Folgoc (mrpouit) wrote :

Btw, I am unable to reproduce the last comment on upstream bugzilla (http://bugzilla.xfce.org/show_bug.cgi?id=3383): env vars are also escaped for me.

Revision history for this message
Lionel Le Folgoc (mrpouit) wrote :

Fixed in gutsy (xfce4-terminal 0.2.6-3ubuntu1).

Revision history for this message
Lionel Le Folgoc (mrpouit) wrote :
Revision history for this message
Lionel Le Folgoc (mrpouit) wrote :
Changed in xfce4-terminal:
importance: Undecided → Medium
status: New → Confirmed
Revision history for this message
Lionel Le Folgoc (mrpouit) wrote :

I tried to write an USN (see attached file).

Bug Watch Updater (bug-watch-updater)
Changed in xfce4-terminal:
status: Unknown → Fix Released
Bug Watch Updater (bug-watch-updater)
Changed in xfce4-terminal:
status: Unknown → Fix Released
Bug Watch Updater (bug-watch-updater)
Changed in xfce4-terminal:
status: Unknown → Fix Released
Revision history for this message
Kees Cook (kees) wrote :

Thanks for getting these prepared, I'm building them now.

Changed in xfce4-terminal:
assignee: nobody → keescook
status: New → Fix Committed
assignee: nobody → keescook
importance: Undecided → Medium
status: New → Fix Committed
status: Confirmed → Fix Released
importance: Undecided → Medium
assignee: nobody → keescook
importance: Undecided → Medium
status: New → Confirmed
Kees Cook (kees)
Changed in xfce4-terminal:
status: Confirmed → Fix Committed
Revision history for this message
Kees Cook (kees) wrote :

Thanks for the USN text. I rearranged it slightly to include credit to the original reporter, and formulate it more in the Ubuntu style (what broke, who can abuse it, and to what end):

Lasse Kärkkäinen discovered that the Xfce Terminal did not correctly
escape shell meta-characters during "Open Link" actions. If a
remote attacker tricked a user into opening a specially crafted URI,
they could execute arbitrary commands with the user's privileges.

Changed in xfce4-terminal:
status: Fix Committed → Fix Released
Revision history for this message
Kees Cook (kees) wrote :

http://www.ubuntu.com/usn/usn-497-1 will be published shortly.

Changed in xfce4-terminal:
status: Fix Committed → Fix Released
Kees Cook (kees)
Changed in xfce4-terminal:
status: Fix Committed → Fix Released
Bug Watch Updater (bug-watch-updater)
Changed in xfce4-terminal (Gentoo Linux):
importance: Unknown → Medium
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.