Your submission was sent successfully! Close

CVE-2019-12761

Published: 06 June 2019

A code injection issue was discovered in PyXDG before 0.26 via crafted Python code in a Category element of a Menu XML document in a .menu file. XDG_CONFIG_DIRS must be set up to trigger xdg.Menu.parse parsing within the directory containing this file. This is due to a lack of sanitization in xdg/Menu.py before an eval call.

Priority

Low

CVSS 3 base score: 7.5

Status

Package Release Status
pyxdg
Launchpad, Ubuntu, Debian
Upstream Needs triage

Ubuntu 20.04 LTS (Focal Fossa) Not vulnerable
(0.26)
Ubuntu 18.04 LTS (Bionic Beaver)
Released (0.25-4ubuntu1.1)
Ubuntu 16.04 ESM (Xenial Xerus)
Released (0.25-4ubuntu0.16.04.1)
Ubuntu 14.04 ESM (Trusty Tahr)
Released (0.25-4ubuntu0.14.04.1~esm1)