CVE-2017-17512

NameCVE-2017-17512
Descriptionsensible-browser in sensible-utils before 0.0.11 does not validate strings before launching the program specified by the BROWSER environment variable, which allows remote attackers to conduct argument-injection attacks via a crafted URL, as demonstrated by a --proxy-pac-file argument.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-1209-1, DSA-4071-1
Debian Bugs881767

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
sensible-utils (PTS)bullseye0.0.14fixed
bookworm0.0.17+nmu1fixed
sid, trixie0.0.24fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
sensible-utilssourcewheezy0.0.7+deb7u1DLA-1209-1
sensible-utilssourcejessie0.0.9+deb8u1DSA-4071-1
sensible-utilssourcestretch0.0.9+deb9u1DSA-4071-1
sensible-utilssource(unstable)0.0.11881767

Notes

https://anonscm.debian.org/git/collab-maint/sensible-utils.git/commit/?id=e16c937c43126df7f08d355277f99dd94cc21ce5
Search for package or bug name: Reporting problems