Bug#975370: xdg-utils: CVE-2020-27748: local file inclusion vulnerability

Nicholas Guriev guriev-ns at ya.ru
Sun Nov 29 06:40:17 GMT 2020 

Hi!

Proposed change offers to completely remove `attach` parameter. I don't
like to break existing features. We should elaborate more convenient
solution. For example, Evolution in the same case shows a warning about
attached hidden file.

More general, is it an issue if I can choose a secret file from
attachment dialog?

On Sat, 2020-11-21 at 10:25 +0100, Salvatore Bonaccorso wrote:
> Source: xdg-utils
> Version: 1.1.3-2
> Severity: important
> Tags: security upstream
> Forwarded: https://gitlab.freedesktop.org/xdg/xdg-utils/-/issues/177
> X-Debbugs-Cc: carnil at debian.org, Debian Security Team <team at security.debian.org>
> Control: found -1 1.1.3-1+deb10u1
> Control: found -1 1.1.3-1
> 
> Hi,
> 
> The following vulnerability was published for xdg-utils, the issue is
> there source-wise but is maybe less effective if #855859 is stil la
> problem and does not actuall ywork well with thunderbird.
> 
> CVE-2020-27748[0]:
> > local file inclusion vulnerability
> 
> It is not yet fixed upstream, see [1].
> 
> If you fix the vulnerability please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
> 
> For further information see:
> 
> [0] https://security-tracker.debian.org/tracker/CVE-2020-27748
>     https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-27748
> [1] https://gitlab.freedesktop.org/xdg/xdg-utils/-/issues/177
> 
> Please adjust the affected versions in the BTS as needed.
> 
> Regards,
> Salvatore
> 
> _______________________________________________
> Pkg-freedesktop-maintainers mailing list
> Pkg-freedesktop-maintainers at alioth-lists.debian.net
> https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-freedesktop-maintainers

-------------- next part --------------
A non-text attachment was scrubbed...
Name: screenshot-1.png
Type: image/png
Size: 110075 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-freedesktop-maintainers/attachments/20201129/032d71ba/attachment-0001.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: This is a digitally signed message part
URL: <http://alioth-lists.debian.net/pipermail/pkg-freedesktop-maintainers/attachments/20201129/032d71ba/attachment-0001.sig>

More information about the Pkg-freedesktop-maintainers mailing list