Description
A code injection issue was discovered in PyXDG before 0.26 via crafted
Python code in a Category element of a Menu XML document in a .menu file.
XDG_CONFIG_DIRS must be set up to trigger xdg.Menu.parse parsing within the
directory containing this file. This is due to a lack of sanitization in
xdg/Menu.py before an eval call.
Notes
mdeslaur | needs to be parsing untrusted menu files |
Package
Upstream: | needs-triage
|
Ubuntu 18.04 LTS: | released
(0.25-4ubuntu1.1)
|
Ubuntu 20.04 LTS: | not-affected
(0.26)
|
Ubuntu 16.04 ESM: | released
(0.25-4ubuntu0.16.04.1)
|
Ubuntu 14.04 ESM: | released
(0.25-4ubuntu0.14.04.1~esm1)
|
Patches:
Updated: 2022-04-13 13:37:42 UTC (commit f411bd370d482ef4385c4e751d121a4055fbc009)