Security
Headlines
HeadlinesLatestCVEs

Headline

Debian Security Advisory 5296-1

Debian Linux Security Advisory 5296-1 - Robin Peraglie and Johannes Moritz discovered an argument injection bug in the xfce4-mime-helper component of xfce4-settings, which can be exploited using the xdg-open common tool. Since xdg-open is used by multiple standard applications for opening links, this bug could be exploited by an attacker to run arbitrary code on an user machine by providing a malicious PDF file with specifically crafted links.

Packet Storm
#mac#linux#debian#pdf
-----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512- -------------------------------------------------------------------------Debian Security Advisory DSA-5296-1                   [email protected]://www.debian.org/security/                        Yves-Alexis PerezDecember 06, 2022                     https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : xfce4-settingsCVE ID         : CVE-2022-45062Debian Bug     : 1023732Robin Peraglie and Johannes Moritz discovered an argument injection bug in thexfce4-mime-helper component of xfce4-settings, which can be exploited using thexdg-open common tool. Since xdg-open is used by multiple standard applicationsfor opening links, this bug could be exploited by an attacker to run arbitrarycode on an user machine by providing a malicious PDF file with specificallycrafted links.For the stable distribution (bullseye), this problem has been fixed inversion 4.16.0-1+deb11u1.We recommend that you upgrade your xfce4-settings packages.For the detailed security status of xfce4-settings please refer toits security tracker page at:https://security-tracker.debian.org/tracker/xfce4-settingsFurther information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: [email protected] PGP SIGNATURE-----iQEzBAEBCgAdFiEE8vi34Qgfo83x35gF3rYcyPpXRFsFAmOPhf4ACgkQ3rYcyPpXRFsZiAgAqFeZ2xtfSmn0bkelbFZ5GzxBUDcCpRPQhSvK/Gku8ZsvBcMhINhMAU7Y5XrLnOhi40VDOEAtQ53f1rkufR8oo454tgRabsNIyrwSFsI48t7+wUT9wTowlG9LJKbbyiMMaLzZ5juglCFm1ZJGV6tMNYRzTyEFuMY/v//rsYkxeChdivWb5v/uPVhnJh2TZwi8uS8z3T0UkrJPnj4pStOJ1pD+ij2x8HSOvmPTZ+MCeKIudxHMxZntpa1Qi5YglEL75nkMosOo2qFvkXd8E+598W6ueZZXqEBzBqbYzx+6XvrDuhz0nQhzMcLlp17dIeUVVKBdnoZyd+YcK52GY8aiOA==pnJR-----END PGP SIGNATURE-----

Related news

Ubuntu Security Notice USN-6141-1

Ubuntu Security Notice 6141-1 - Robin Peraglie and Johannes Moritz discovered that xfce4-settings incorrectly parsed quoted input when processed through xdg-open. A remote attacker could possibly use this issue to inject arbitrary arguments into the default browser or file manager.

CVE-2022-45062: Escape characters which do not belong into an URI/URL (Issue #390) (55e3c5fb) · Commits · Xfce / xfce4-settings · GitLab

In Xfce xfce4-settings before 4.16.4 and 4.17.x before 4.17.1, there is an argument injection vulnerability in xfce4-mime-helper.

Packet Storm: Latest News

WordPress Really Simple Security Authentication Bypass