Descriptiontools/ in TIN 2.4.1 does not validate strings before launching the program specified by the BROWSER environment variable, which might allow remote attackers to conduct argument-injection attacks via a crafted URL. NOTE: a third party has reported that this is intentional behavior, because the documentation states " was designed to work together with tin which only issues shell escaped absolute URLs.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
tin (PTS)buster1:2.4.3-1vulnerable
sid, trixie1:2.6.4~20240430-1vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs

Documentation has a clear SECURITY section mentioning that [...] url_handler
does not try hard to shell escape its input nor does it convert relative URLs
into abosulte ones. If you use from other applications be sure to
at least shell escaped its input.

Search for package or bug name: Reporting problems