Path: ...!news.mixmin.net!aioe.org!bofh.it!news.nic.it!robomod From: Yves-Alexis Perez Newsgroups: linux.debian.announce.security Subject: [SECURITY] [DSA 5296-1] xfce4-settings security update Date: Tue, 06 Dec 2022 19:20:01 +0100 Message-ID: X-Original-To: debian-security-announce@lists.debian.org X-Mailbox-Line: From debian-security-announce-request@lists.debian.org Tue Dec 6 18:17:02 2022 Old-Return-Path: X-Amavis-Spam-Status: No, score=-10.73 tagged_above=-10000 required=5.3 tests=[BAYES_00=-2, DIGITS_LETTERS=1, FVGT_m_MULTI_ODD=0.02, HEADER_FROM_DIFFERENT_DOMAINS=0.249, LDO_WHITELIST=-5, PGPSIGNATURE=-5, RCVD_IN_DNSWL_NONE=-0.0001, UNPARSEABLE_RELAY=0.001] autolearn=ham autolearn_force=no X-Policyd-Weight: NOT_IN_SBL_XBL_SPAMHAUS=-1.5 CL_IP_EQ_HELO_IP=-2 (check from: .corsac. - helo: .smtp1-g21.free. - helo-domain: .free.) FROM/MX_MATCHES_NOT_HELO(DOMAIN)=0; rate: -3.5 X-Debian: PGP check passed for security officers Priority: urgent Reply-To: debian-security-announce-request@lists.debian.org X-Mailing-List: archive/latest/4196 List-ID: List-URL: List-Archive: https://lists.debian.org/msgid-search/638f86d5.a00d4.612cf746@scapa.corsac.net Approved: robomod@news.nic.it Lines: 45 Organization: linux.* mail to news gateway Sender: robomod@news.nic.it X-Original-Date: Tue, 06 Dec 2022 19:15:49 +0100 X-Original-Message-ID: <638f86d5.a00d4.612cf746@scapa.corsac.net> Bytes: 3686 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 - ------------------------------------------------------------------------- Debian Security Advisory DSA-5296-1 security@debian.org https://www.debian.org/security/ Yves-Alexis Perez December 06, 2022 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : xfce4-settings CVE ID : CVE-2022-45062 Debian Bug : 1023732 Robin Peraglie and Johannes Moritz discovered an argument injection bug in the xfce4-mime-helper component of xfce4-settings, which can be exploited using the xdg-open common tool. Since xdg-open is used by multiple standard applications for opening links, this bug could be exploited by an attacker to run arbitrary code on an user machine by providing a malicious PDF file with specifically crafted links. For the stable distribution (bullseye), this problem has been fixed in version 4.16.0-1+deb11u1. We recommend that you upgrade your xfce4-settings packages. For the detailed security status of xfce4-settings please refer to its security tracker page at: https://security-tracker.debian.org/tracker/xfce4-settings Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -----BEGIN PGP SIGNATURE----- iQEzBAEBCgAdFiEE8vi34Qgfo83x35gF3rYcyPpXRFsFAmOPhf4ACgkQ3rYcyPpX RFsZiAgAqFeZ2xtfSmn0bkelbFZ5GzxBUDcCpRPQhSvK/Gku8ZsvBcMhINhMAU7Y 5XrLnOhi40VDOEAtQ53f1rkufR8oo454tgRabsNIyrwSFsI48t7+wUT9wTowlG9L JKbbyiMMaLzZ5juglCFm1ZJGV6tMNYRzTyEFuMY/v//rsYkxeChdivWb5v/uPVhn Jh2TZwi8uS8z3T0UkrJPnj4pStOJ1pD+ij2x8HSOvmPTZ+MCeKIudxHMxZntpa1Q i5YglEL75nkMosOo2qFvkXd8E+598W6ueZZXqEBzBqbYzx+6XvrDuhz0nQhzMcLl p17dIeUVVKBdnoZyd+YcK52GY8aiOA== =pnJR -----END PGP SIGNATURE-----