[Bug 1228391] New: VUL-0: CVE-2024-42029: OS command execution triggered by screensharing
https://bugzilla.suse.com/show_bug.cgi?id=1228391 Bug ID: 1228391 Summary: VUL-0: CVE-2024-42029: OS command execution triggered by screensharing Classification: openSUSE Product: openSUSE Distribution Version: Leap 15.6 Hardware: Other URL: https://smash.suse.de/issue/415290/ OS: Other Status: NEW Severity: Major Priority: P5 - None Component: Other Assignee: security-team@suse.de Reporter: smash_bz@suse.de QA Contact: security-team@suse.de CC: gianluca.gabrielli@suse.com Target Milestone: --- Found By: Security Response Team Blocker: --- xdg-desktop-portal-hyprland (aka an XDG Desktop Portal backend for Hyprland) before 1.3.3 allows OS command execution, e.g., because single quotes are not used when sending a list of app IDs and titles via the environment. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-42029 https://www.cve.org/CVERecord?id=CVE-2024-42029 https://github.com/hyprwm/xdg-desktop-portal-hyprland/commit/0bb709491baffd6... https://github.com/hyprwm/xdg-desktop-portal-hyprland/issues/242 https://github.com/hyprwm/xdg-desktop-portal-hyprland/releases/tag/v1.3.3 -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1228391 SMASH SMASH <smash_bz@suse.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Whiteboard| |CVSSv3.1:SUSE:CVE-2024-4202 | |9:8.8:(AV:N/AC:L/PR:N/UI:R/ | |S:U/C:H/I:H/A:H) -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1228391 https://bugzilla.suse.com/show_bug.cgi?id=1228391#c1 Gianluca Gabrielli <gianluca.gabrielli@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Resolution|--- |FIXED Status|NEW |RESOLVED --- Comment #1 from Gianluca Gabrielli <gianluca.gabrielli@suse.com> --- openSUSE:Factory/xdg-desktop-portal-hyprland is already fixed. -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1228391 Marcus Meissner <meissner@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Summary|VUL-0: CVE-2024-42029: OS |VUL-0: CVE-2024-42029: |command execution triggered |xdg-desktop-portal-hyprland |by screensharing |: OS command execution | |triggered by screensharing -- You are receiving this mail because: You are on the CC list for the bug.
participants (1)
-
bugzilla_noreply@suse.com