CVE-2019-12761

NameCVE-2019-12761
DescriptionA code injection issue was discovered in PyXDG before 0.26 via crafted Python code in a Category element of a Menu XML document in a .menu file. XDG_CONFIG_DIRS must be set up to trigger xdg.Menu.parse parsing within the directory containing this file. This is due to a lack of sanitization in xdg/Menu.py before an eval call.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
ReferencesDLA-1819-1
NVD severitymedium
Debian Bugs930099

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
pyxdg (PTS)jessie (security)0.25-4+deb8u1fixed
jessie, stretch0.25-4vulnerable
buster0.25-5vulnerable
bullseye, sid0.26-1vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
pyxdgsource(unstable)(unfixed)low930099
pyxdgsourcejessie0.25-4+deb8u1DLA-1819-1

Notes

[buster] - pyxdg <no-dsa> (Minor issue)
[stretch] - pyxdg <no-dsa> (Minor issue)
https://snyk.io/vuln/SNYK-PYTHON-PYXDG-174562
https://gitlab.freedesktop.org/xdg/pyxdg/issues/14

Search for package or bug name: Reporting problems