CVE-2019-12761
Published: 06 June 2019
A code injection issue was discovered in PyXDG before 0.26 via crafted Python code in a Category element of a Menu XML document in a .menu file. XDG_CONFIG_DIRS must be set up to trigger xdg.Menu.parse parsing within the directory containing this file. This is due to a lack of sanitization in xdg/Menu.py before an eval call.
Priority
Low
CVSS 3 base score: 7.5
Status
| Package | Release | Status |
|---|---|---|
|
pyxdg Launchpad, Ubuntu, Debian |
Upstream |
Needs triage
|
| Ubuntu 20.10 (Groovy Gorilla) |
Not vulnerable
(0.26)
|
|
| Ubuntu 20.04 LTS (Focal Fossa) |
Not vulnerable
(0.26)
|
|
| Ubuntu 18.04 LTS (Bionic Beaver) |
Released
(0.25-4ubuntu1.1)
|
|
| Ubuntu 16.04 ESM (Xenial Xerus) |
Released
(0.25-4ubuntu0.16.04.1)
|
|
| Ubuntu 14.04 ESM (Trusty Tahr) |
Released
(0.25-4ubuntu0.14.04.1~esm1)
|
Notes
| Author | Note |
|---|---|
| mdeslaur | needs to be parsing untrusted menu files |
References
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12761
- https://snyk.io/vuln/SNYK-PYTHON-PYXDG-174562
- https://gist.github.com/dhondta/b45cd41f4186110a354dc7272916feba
- https://usn.ubuntu.com/usn/usn-4700-1
- NVD
- Launchpad
- Debian