oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

Code execution through Thunar

From: Gabriel Corona <gabriel.corona () enst-bretagne fr>
Date: Sun, 9 May 2021 21:38:23 +0200
When called with a regular file as command line argument, Thunar
would delegate to some other program without user confirmation
based on the file type. This could be exploited to trigger code
execution in a chain of vulnerabilities.

This is fixed in 4.16.7 and 4.17.2. When called with a regular
file, Thunar now opens the containing directory and selects the
file.

A CVE ID has been requested.

Reference:

https://gitlab.xfce.org/xfce/thunar/-/commit/9165a61f95e43cc0b5abf9b98eee2818a0191e0b

Note: the fix introduced a regression which is fixed in 4.16.8 and 4.17.3.

https://gitlab.xfce.org/xfce/thunar/-/commit/3b54d9d7dbd7fd16235e2141c43a7f18718f5664

Gabriel
Previous By Date Next
Previous By Thread Next

Current thread: