Tuesday, February 3, 2009

Security Update: xdg-utils

There is one security update that was released today by Slackware Security Team, which is xdg-utils. It's applicable to Slackware 12.2 and -Current. Here's the long description about the bug in -Current changelog:
Mon Feb 2 17:47:18 CST 2009
This update fixes two security issues. First, use of xdg-open in /etc/mailcap was found to be unsafe -- xdg-open passes along downloaded files without indicating what mime type they initially presented themselves as, leaving programs further down the processing chain to discover the file type again. This makes it rather trivial to present a script (such as a .desktop file) as a document type (like a PDF) so that it looks safe to click on in a browser, but will result in the execution of an arbitrary script. It might be safe to send files to trusted applications in /etc/mailcap, but it does not seem to be safe to send files to xdg-open in /etc/mailcap.
This package will comment out calls to xdg-open in /etc/mailcap if they are determined to have been added by a previous version of this package.
If you've made any local customizations to /etc/mailcap, be sure to check that there are no uncommented calls to xdg-open after installing this update.
Thanks to Manuel Reimer for discovering this issue.
For more information, see:
Another bug in xdg-open fails to sanitize input properly allowing the execution of arbitrary commands. This was fixed in the xdg-utils repository quite some time ago (prior to the inclusion of xdg-utils in Slackware), but was never fixed in the official release of xdg-utils. The sources for xdg-utils in Slackware have now been updated from the repo to fix the problem.
For more information, see:
(* Security fix *)