CVE-2017-5078

Priority
Description
Insufficient validation of untrusted input in Blink's mailto: handling in
Google Chrome prior to 59.0.3071.86 for Linux, Windows, and Mac allowed a
remote attacker to perform command injection via a crafted HTML page, a
similar issue to CVE-2004-0121. For example, characters such as * have an
incorrect interaction with xdg-email in xdg-utils, and a space character
can be used in front of a command-line argument.
Notes
Package
Upstream:released (59.0.3071.86)
Ubuntu 12.04 ESM (Precise Pangolin):DNE
Ubuntu 14.04 ESM (Trusty Tahr):DNE (trusty was released [59.0.3071.109-0ubuntu0.14.04.1186])
Ubuntu 16.04 LTS (Xenial Xerus):released (59.0.3071.109-0ubuntu0.16.04.1289)
Ubuntu 18.04 LTS (Bionic Beaver):released (59.0.3071.109-0ubuntu1.1360)
Ubuntu 19.04 (Disco Dingo):released (59.0.3071.109-0ubuntu1.1360)
Package
Upstream:needs-triage
Ubuntu 12.04 ESM (Precise Pangolin):DNE
Ubuntu 14.04 ESM (Trusty Tahr):DNE (trusty was ignored [Ubuntu touch end-of-life])
Ubuntu 16.04 LTS (Xenial Xerus):ignored (Ubuntu touch end-of-life)
Ubuntu 18.04 LTS (Bionic Beaver):DNE
Ubuntu 19.04 (Disco Dingo):DNE
More Information

Updated: 2019-12-05 18:49:02 UTC (commit dd38ff22974aae499eb50644b9d5a2817483cbdb)