CVE-2019-12761

Name	CVE-2019-12761
Description	A code injection issue was discovered in PyXDG before 0.26 via crafted Python code in a Category element of a Menu XML document in a .menu file. XDG_CONFIG_DIRS must be set up to trigger xdg.Menu.parse parsing within the directory containing this file. This is due to a lack of sanitization in xdg/Menu.py before an eval call.
Source	CVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
References	DLA-1819-1, DLA-2727-1
Debian Bugs	930099

Vulnerable and fixed packages

The table below lists information on source packages.

Source Package	Release	Version	Status
pyxdg (PTS)	bullseye	0.27-2	fixed
	bookworm, forky, sid, trixie	0.28-2	fixed

The information below is based on the following data on fixed versions.

Package	Type	Release	Fixed Version	Urgency	Origin	Debian Bugs
pyxdg	source	jessie	0.25-4+deb8u1		DLA-1819-1
pyxdg	source	stretch	0.25-4+deb9u1		DLA-2727-1
pyxdg	source	(unstable)	0.26-1	low		930099

Notes

[buster] - pyxdg <no-dsa> (Minor issue)
https://snyk.io/vuln/SNYK-PYTHON-PYXDG-174562
https://gitlab.freedesktop.org/xdg/pyxdg/-/commit/aa4ce1bbc59def6975c9dd1598aafb3ef3fea681 (rel-0.26)
https://gitlab.freedesktop.org/xdg/pyxdg/issues/14