CVE-2017-17512 in Ubuntu

CVE-2017-17512

Priority

Description

sensible-browser in sensible-utils before 0.0.11 does not validate strings
before launching the program specified by the BROWSER environment variable,
which allows remote attackers to conduct argument-injection attacks via a
crafted URL, as demonstrated by a --proxy-pac-file argument.

References

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17512
http://metadata.ftp-master.debian.org/changelogs/main/s/sensible-utils/sensible-utils_0.0.11_changelog
https://ubuntu.com/security/notices/USN-3584-1

Bugs

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=881767

Assigned-to

mdeslaur

Notes

Package

Source: sensible-utils (LP Ubuntu Debian)

Upstream:	released (0.0.11)
Ubuntu 16.04 ESM:	released (0.0.9ubuntu0.16.04.1)
Ubuntu 14.04 ESM:	released (0.0.9ubuntu0.14.04.1)

Patches:

Upstream:

https://anonscm.debian.org/git/collab-maint/sensible-utils.git/commit/?id=e16c937c43126df7f08d355277f99dd94cc21ce5

More Information

Updated: 2022-04-13 12:57:25 UTC (commit f411bd370d482ef4385c4e751d121a4055fbc009)