Bug#1013129: marked as done (exo: CVE-2022-32278)

To: Yves-Alexis Perez <corsac@debian.org>
Subject: Bug#1013129: marked as done (exo: CVE-2022-32278)
From: "Debian Bug Tracking System" <owner@bugs.debian.org>
Date: Sun, 19 Jun 2022 17:51:06 +0000
Message-id: <[🔎] handler.1013129.D1013129.16556608498425.ackdone@bugs.debian.org>
Reply-to: 1013129@bugs.debian.org
References: <E1o2z1C-000Fq8-4u@fasolo.debian.org> <[🔎] YqyY47Cdl0WygfOo@pisco.westfalen.local>

Your message dated Sun, 19 Jun 2022 17:47:26 +0000
with message-id <E1o2z1C-000Fq8-4u@fasolo.debian.org>
and subject line Bug#1013129: fixed in exo 0.12.4-1+deb10u1
has caused the Debian Bug report #1013129,
regarding exo: CVE-2022-32278
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
1013129: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1013129
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

To: submit@bugs.debian.org
Subject: exo: CVE-2022-32278
From: Moritz Mühlenhoff <jmm@inutil.org>
Date: Fri, 17 Jun 2022 17:08:19 +0200
Message-id: <[🔎] YqyY47Cdl0WygfOo@pisco.westfalen.local>

Source: exo
X-Debbugs-CC: team@security.debian.org
Severity: grave
Tags: security

Hi,

The following vulnerability was published for exo.

CVE-2022-32278[0]:
| XFCE 4.16 allows attackers to execute arbitrary code because xdg-open
| can execute a .desktop file on an attacker-controlled FTP server.

https://gitlab.xfce.org/xfce/exo/-/commit/c71c04ff5882b2866a0d8506fb460d4ef796de9f

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2022-32278
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-32278

Please adjust the affected versions in the BTS as needed.

--- End Message ---

--- Begin Message ---

To: 1013129-close@bugs.debian.org
Subject: Bug#1013129: fixed in exo 0.12.4-1+deb10u1
From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
Date: Sun, 19 Jun 2022 17:47:26 +0000
Message-id: <E1o2z1C-000Fq8-4u@fasolo.debian.org>
Reply-to: Yves-Alexis Perez <corsac@debian.org>

Source: exo
Source-Version: 0.12.4-1+deb10u1
Done: Yves-Alexis Perez <corsac@debian.org>

We believe that the bug you reported is fixed in the latest version of
exo, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1013129@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Yves-Alexis Perez <corsac@debian.org> (supplier of updated exo package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sat, 18 Jun 2022 14:25:09 +0200
Source: exo
Architecture: source
Version: 0.12.4-1+deb10u1
Distribution: oldstable-security
Urgency: medium
Maintainer: Debian Xfce Maintainers <debian-xfce@lists.debian.org>
Changed-By: Yves-Alexis Perez <corsac@debian.org>
Closes: 1013129
Changes:
 exo (0.12.4-1+deb10u1) oldstable-security; urgency=medium
 .
   * d/patches: 0001-exo-open-Only-execute-local-.desktop-files.patch added
     Fix CVE-2022-32278, exo allows executing .desktop files with remote URI
     scheme.
     (Closes: #1013129)
Checksums-Sha1:
 ec7725974545875907d32cf9337f58d8e96f8e1f 2074 exo_0.12.4-1+deb10u1.dsc
 2fda283fa85b79ad7c4f644e5d18879e1f2d57d2 1235738 exo_0.12.4.orig.tar.bz2
 3d477cbe2a54eaf43384f783129c518ba5b56f26 14916 exo_0.12.4-1+deb10u1.debian.tar.xz
 09c01f389137b68d4360c9271cec8053e7a78974 18991 exo_0.12.4-1+deb10u1_amd64.buildinfo
Checksums-Sha256:
 7026aa77acb42beaf5530e4b562dc67a6f037140f1026237c9e91c5486e4d4e0 2074 exo_0.12.4-1+deb10u1.dsc
 b0af60816bdb572ce53f19462fb1f3a5895a04017a878893dc03c166ea2050af 1235738 exo_0.12.4.orig.tar.bz2
 59dba09929e51705eb634dd63d2738355d1f0fb0c00f1c188c9a5f3aeb409227 14916 exo_0.12.4-1+deb10u1.debian.tar.xz
 2b03c406fb73882f18d3fe01dedb2c5b706ae17e77b0cbb06e403760f7c6ba8d 18991 exo_0.12.4-1+deb10u1_amd64.buildinfo
Files:
 e90dcfa04b96133532426725467afd9c 2074 xfce optional exo_0.12.4-1+deb10u1.dsc
 962bbccb38db0aecd4151ca97f6a39bc 1235738 xfce optional exo_0.12.4.orig.tar.bz2
 db85723e76ec39dccc7394c6b63afdfd 14916 xfce optional exo_0.12.4-1+deb10u1.debian.tar.xz
 32e49cada7afb46651c4c182f5d6c77e 18991 xfce optional exo_0.12.4-1+deb10u1_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQEzBAEBCgAdFiEE8vi34Qgfo83x35gF3rYcyPpXRFsFAmKtxXAACgkQ3rYcyPpX
RFvfhQf/ckVuuVCw3CoDwYNuzsOtvgb3p+GXyIMjc9a9GYS3yP4ggdEanjAjjWdf
smOkclYhVE9jkQSWR0mTvJ33TFRh9uX5QpWH7p3e/SM+LC8R2R1jJTl0TH1u3zIj
BI/lIYJ83JPGjiwXOAbHDzfXqsdrlLINQBM9ZhNkiH9ON4AIZ1M5tI0usbwY6icF
NClKX5sBzrhjv/x3gXV7FEDassop4D23kPVNLZ0dgJN3LuiIWNvBEnId7BYS52L4
dCLAzP9ideCMFx5lBwdn+fs5H2PbCxWEhoJJoAAfoiqyqWO5nEsSxm7rOym/cDbt
pu3Q1Nd7sMHRs0klmvKhwjF6pfe+sA==
=uJT2
-----END PGP SIGNATURE-----

--- End Message ---

Reply to:

References:
- Bug#1013129: exo: CVE-2022-32278
  - From: Moritz Mühlenhoff <jmm@inutil.org>

Prev by Date: Bug#1013129: marked as done (exo: CVE-2022-32278)
Next by Date: exo_4.16.0-1+deb11u1_amd64.changes ACCEPTED into proposed-updates->stable-new, proposed-updates
Previous by thread: Bug#1013129: marked as done (exo: CVE-2022-32278)
Next by thread: Processed: tagging 1013129, found 1013129 in 4.16.3-1
Index(es):
- Date
- Thread