Slackware-13.0 ChangeLog (2009-02-02)

Mon Feb 2 17:47:18 CST 2009

This update fixes two security issues. First, use of xdg-open in
/etc/mailcap was found to be unsafe – xdg-open passes along downloaded files
without indicating what mime type they initially presented themselves as,
leaving programs further down the processing chain to discover the file type
again. This makes it rather trivial to present a script (such as a .desktop
file) as a document type (like a PDF) so that it looks safe to click on in a
browser, but will result in the execution of an arbitrary script. It might
be safe to send files to trusted applications in /etc/mailcap, but it does
not seem to be safe to send files to xdg-open in /etc/mailcap.
This package will comment out calls to xdg-open in /etc/mailcap if they are
determined to have been added by a previous version of this package.
If you've made any local customizations to /etc/mailcap, be sure to check
that there are no uncommented calls to xdg-open after installing this update.
Thanks to Manuel Reimer for discovering this issue.
For more information, see:
Another bug in xdg-open fails to sanitize input properly allowing the
execution of arbitrary commands. This was fixed in the xdg-utils repository
quite some time ago (prior to the inclusion of xdg-utils in Slackware), but
was never fixed in the official release of xdg-utils. The sources for
xdg-utils in Slackware have now been updated from the repo to fix the problem.
For more information, see:
(* Security fix *)
  • news/2009/02/02/slackware-13.0-changelog.txt
  • Last modified: 4 years ago
  • by Giuseppe Di Terlizzi