Debian Long Term Support / LTS Security Information / 2015 / Security Information -- DLA-217-1 xdg-utils

Debian Security Advisory

DLA-217-1 xdg-utils -- LTS security update

Date Reported:

01 May 2015

Affected Packages:

xdg-utils

Vulnerable:

Yes

Security database references:

In Mitre's CVE dictionary: CVE-2014-9622, CVE-2015-1877.

More information:

The two below CVE issues have recently been fixed in Debian squeeze-lts:

• CVE-2014-9622

  John Houwer discovered a way to cause xdg-open, a tool that automatically opens URLs in a user's preferred application, to execute arbitrary commands remotely.

• CVE-2015-1877

  Jiri Horner discovered a way to cause xdg-open, a tool that automatically opens URLs in a user's preferred application, to execute arbitrary commands remotely.

  This problem only affects /bin/sh implementations that don't sanitize local variables. Dash, which is the default /bin/sh in Debian is affected. Bash as /bin/sh is known to be unaffected.