CVE-2019-12761 in Ubuntu

CVE-2019-12761

Priority

Description

A code injection issue was discovered in PyXDG before 0.26 via crafted
Python code in a Category element of a Menu XML document in a .menu file.
XDG_CONFIG_DIRS must be set up to trigger xdg.Menu.parse parsing within the
directory containing this file. This is due to a lack of sanitization in
xdg/Menu.py before an eval call.

References

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12761
https://snyk.io/vuln/SNYK-PYTHON-PYXDG-174562
https://gist.github.com/dhondta/b45cd41f4186110a354dc7272916feba
https://ubuntu.com/security/notices/USN-4700-1

Bugs

https://gitlab.freedesktop.org/xdg/pyxdg/issues/14
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=930099

Assigned-to

avital

Notes

mdeslaur

needs to be parsing untrusted menu files

Package

Source: pyxdg (LP Ubuntu Debian)

Upstream:	needs-triage
Ubuntu 18.04 LTS:	released (0.25-4ubuntu1.1)
Ubuntu 20.04 LTS:	not-affected (0.26)
Ubuntu 16.04 ESM:	released (0.25-4ubuntu0.16.04.1)
Ubuntu 14.04 ESM:	released (0.25-4ubuntu0.14.04.1~esm1)

Patches:

More Information

Updated: 2022-04-13 13:37:42 UTC (commit f411bd370d482ef4385c4e751d121a4055fbc009)