GLSA-200801-21 : Xdg-Utils: Arbitrary command execution
Medium Nessus Plugin ID 30138
SynopsisThe remote Gentoo host is missing one or more security-related patches.
DescriptionThe remote host is affected by the vulnerability described in GLSA-200801-21 (Xdg-Utils: Arbitrary command execution)
Miroslav Lichvar discovered that the 'xdg-open' and 'xdg-email' shell scripts do not properly sanitize their input before processing it.
A remote attacker could entice a user to open a specially crafted link with a vulnerable application using Xdg-Utils (e.g. an email client), resulting in the execution of arbitrary code with the privileges of the user running the application.
There is no known workaround at this time.
SolutionAll Xdg-Utils users should upgrade to the latest version:
# emerge --sync # emerge --ask --oneshot --verbose '>=x11-misc/xdg-utils-1.0.2-r1'