Re: xdg-utils-1.0.2 (Re: [HEADSUP] Removing vulnerable packages

To: pkgsrc-users%NetBSD.org@localhost
Subject: Re: xdg-utils-1.0.2 (Re: [HEADSUP] Removing vulnerable packages
From: Makoto Fujiwara <makoto%ki.nu@localhost>
Date: Tue, 05 Apr 2011 11:00:46 +0900

Obache San, thank you for the response.

| From: "OBATA Akio" <obache%NetBSD.org@localhost>
| Subject: Re: xdg-utils-1.0.2 (Re: [HEADSUP] Removing vulnerable packages
| Date: Tue, 05 Apr 2011 10:42:25 +0900
| Message-ID: <op.vtfy0zrvcmitfu%ponkan.lins.jp@localhost>

        > I have the patch to 1.1.0-rc1 prepared.
        > http://www.ki.nu/~makoto/pkgsrc/misc/xdg-utils-1.0.2

obache> Where we can get the information that 1.1.0 will not be vulnerable?

I think the problem is at:
  http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-0386
+------
| Overview
| Xdg-utils 1.0.2 and earlier allows user-assisted remote
| attackers to execute arbitrary commands via shell
| metacharacters in a URL argument to (1) xdg-open or 
| (2) xdg-email.
+------

and the xdg-utils-1.1.0-rc1/ChangeLog says,
+ ---
| 2008-01-24 Kevin Krammer <kevin.krammer%gmx.at@localhost>
|     * Fixing security issue in xdg-email and xdg-open at replacing
|       parameter in $BROWSER
+ ---
My information is no more than that, thank you,
---
Makoto Fujiwara
mef%NetBSD.org@localhost

References:
- [HEADSUP] Removing vulnerable packages
  - From: Thomas Klausner
- xdg-utils-1.0.2 (Re: [HEADSUP] Removing vulnerable packages
  - From: Makoto Fujiwara
- Re: xdg-utils-1.0.2 (Re: [HEADSUP] Removing vulnerable packages
  - From: OBATA Akio

Prev by Date: Re: xdg-utils-1.0.2 (Re: [HEADSUP] Removing vulnerable packages
Next by Date: Re: xdg-utils-1.0.2 (Re: [HEADSUP] Removing vulnerable packages
Previous by Thread: Re: xdg-utils-1.0.2 (Re: [HEADSUP] Removing vulnerable packages
Next by Thread: Re: xdg-utils-1.0.2 (Re: [HEADSUP] Removing vulnerable packages
Indexes:

Home | Main Index | Thread Index | Old Index