1
PublicDateAtUSN: 2018-05-10
2
Candidate: CVE-2017-18266
5
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18266
6
https://cgit.freedesktop.org/xdg/xdg-utils/tree/ChangeLog
7
https://usn.ubuntu.com/usn/usn-3650-1
9
The open_envvar function in xdg-open in xdg-utils before 1.1.3 does not
10
validate strings before launching the program specified by the BROWSER
11
environment variable, which might allow remote attackers to conduct
12
argument-injection attacks via a crafted URL, as demonstrated by %s in this
17
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=898317
18
https://bugs.freedesktop.org/show_bug.cgi?id=103807
19
https://bugs.launchpad.net/ubuntu/+source/xdg-utils/+bug/1772295
26
patch: https://cgit.freedesktop.org/xdg/xdg-utils/commit/?id=ce802d71c3466d1dbb24f2fe9b6db82a1f899bcb
27
upstream_xdg-utils: needs-triage
28
precise/esm_xdg-utils: DNE
29
trusty_xdg-utils: released (1.1.0~rc1-2ubuntu7.2)
30
xenial_xdg-utils: released (1.1.1-1ubuntu1.16.04.3)
31
artful_xdg-utils: released (1.1.1-1ubuntu3.2)
32
bionic_xdg-utils: released (1.1.2-1ubuntu2.2)
33
devel_xdg-utils: released (1.1.2-1ubuntu3)