Headline
CVE-2022-32278: exo-open : Only execute local .desktop files (c71c04ff) · Commits · Xfce / exo · GitLab
XFCE 4.16 allows attackers to execute arbitrary code because xdg-open can execute a .desktop file on an attacker-controlled FTP server.
Commit c71c04ff authored Jun 06, 2022 by
Browse files
exo-open : Only execute local .desktop files
Issue #85 (Backported cc047717) CVE-2022-32278
This patch prevents executing possibly malicious .desktop files from online sources (ftp://, http:// etc.).
Original patch authored by Alexander Schwinn [email protected]
- Changes 1
…
…
@@ -156,6 +156,16 @@ exo_open_launch_desktop_file (const gchar *arg)
if (G_UNLIKELY (gfile == NULL))
return FALSE;
/* Only execute local .desktop files to prevent execution of malicious launchers from foreign locations */
if (g_file_has_uri_scheme (gfile, “file”) == FALSE)
{
char *uri = g_file_get_uri (gfile);
g_warning ("Execution of remote .desktop file ‘%s’ was skipped due to security concerns.", uri);
g_object_unref (gfile);
g_free (uri);
return FALSE;
}
/* load the contents of the file */
result = g_file_load_contents (gfile, NULL, &contents, &length, NULL, NULL);
g_object_unref (G_OBJECT (gfile));
…
…
Related news
Gentoo Linux Security Advisory 202409-9 - A vulnerability has been discovered in Exo, which can lead to arbitrary code execution. Versions greater than or equal to 4.17.2 are affected.
Ubuntu Security Notice 6008-1 - It was discovered that Exo did not properly sanitized desktop files. A remote attacker could possibly use this issue to to cause a crash or arbitrary code execution.
XFCE 4.16 allows attackers to execute arbitrary code because xdg-open can execute a .desktop file on an attacker-controlled FTP server.