Debian Linux Security Advisory 3131-1 - John Houwer discovered a way to cause xdg-open, a tool that automatically opens URLs in a user's preferred application, to execute arbitrary commands remotely.
0bc385c6b6e3000bee1436fe2d211ac62230a51377f11c33c6cbd35e2274fcb3
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
- -------------------------------------------------------------------------
Debian Security Advisory DSA-3131-1 security@debian.org
https://www.debian.org/security/ Michael Gilbert
January 18, 2015 https://www.debian.org/security/faq
- -------------------------------------------------------------------------
Package : xdg-utils
CVE ID : CVE-2014-9622
Debian Bug : 773085
John Houwer discovered a way to cause xdg-open, a tool that automatically
opens URLs in a user's preferred application, to execute arbitrary
commands remotely.
For the stable distribution (wheezy), this problem has been fixed in
version 1.1.0~rc1+git20111210-6+deb7u2.
For the upcoming stable (jessie) and unstable (sid) distributions,
this problem has been fixed in version 1.1.0~rc1+git20111210-7.3.
We recommend that you upgrade your xdg-utils packages.
Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/
Mailing list: debian-security-announce@lists.debian.org
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQQcBAEBCgAGBQJUvIOpAAoJELjWss0C1vRzyfIgAL+XQ0ld3B3JXgdPJQQpfdaY
00JPoJhdpOEBxofEiAgkNd7EV2COkmRPO0ekvhxEKavxd9oxUWmNyK9bZ+LaVcDg
OQtAE57gSTF3qFbgOsuPkU0q6eMVPzH+kSxuXBV5962LNKTvdNnnWlri70aB5JLW
rMXdcGkOlh0ozDe5CNz3wZRZGUmbDyRbd29F+BtfAqH7fBtrCBUifwr00A24E6aS
+DIgCSMg5GUuAU3SfTh1xSE3+rfU2uxnTYC1ZdrnJrlBiMIqfitNaE2QOVw8RrAm
PA62BWnbkHJmTHmG0NfAlU5mv3QcaXG9QEny0Plh6QsL1myjkUngH+g/EfdGg845
LNU84A8U19YGfXdWD+dCol11c5mfAPk5NQdtapo9LuP3Hx05MDYVxXCfupbsEV1i
AMHplt7jhnjAsZhgb0RGzgIbi8OEk8rEL+hCiwzzHnmL1RjtHiByhOMFf7ZpbTNA
tF7/cDNchhVaxJ+iKId9JBB0X2FIRrJVfZST6LT3hoCV0nUwjeiTMQTz1Lshs/8Q
EoUfLpJJDemdnk2otXNPGDD4kzJMdpsZx+u77Pm7ZD45LaWuVoROUrk2j4MRwHzK
sI2B+8FA5GKiG1XWRmvTaqm9NZl/N8C2IVmvw1yPDVdSQ0cn90NeJdjcqFt9VV1e
RljXNebLmbE0eLXvhB2ZHPmEy/uedzr2isrLzvejU2NyJKE4qwmc4Xv1o9cxT85J
lh4KOPkOEIgTAsKvywG1bilv5cNLhliEN7CzcFO2AIDIYLz4Txy8WiOHHEIYxTWt
DlhdcXACQ/jpzt8dZh+yMUU33FjsO7fLSb7eaGe0FIx8juZG5gIr0OTg/6eZi+Eb
ruaOCGsKHV0uKBIvID22nDjJnvKsp0fDzKDTz9522ypNQI7k3Krv7I7nM46Y9oN8
n1gVKH0DflS/eZnMDgixUoBHg35pFPSz6FpSAcZRPFxCBU45+K2u0ZZ7Yq1BwEWc
c8c12hVnydyIdNmdqVNIXfcdal+fAZd3ZD9fS53UMQac+RnU5LnLHVaZuyMkITyw
IjJWolZj5JfENaEOEPOkspzm48cu/vp+u4yBnMMy7KyuXGI8y5rQGQIF1/7QJ/SJ
kWVE+qFiI2OPCMQlcyvEZqcaiBqXVrA8kAtH4P0fzz09M806+kb3dqzmxiEUweR7
YaRWSBLir9t6LXRAgAEw1v6oKxwMUWc5ES63QvHultdc4rhB2tFwwuvg0aYXVi3+
HEm7O44WhX5qQgqOUY0N2AJB30i7VNelwLK2Xt3wm/ychcHhkv+otLp17WvBVjA+
6LnJAClnPFm1CLJbpVMi9iebHkw9kJDsN2CZqVs6clSGVYYzIMfogg8969Qona8=
=TI29
-----END PGP SIGNATURE-----