Debian 10263 Published by

A xfce4-settings security update has been released for Debian GNU/Linux 11 to address an argument injection bug in the xfce4-mime-helper component.



DSA 5296-1: xfce4-settings security update



- -------------------------------------------------------------------------
Debian Security Advisory DSA-5296-1 security@debian.org
  https://www.debian.org/security/ Yves-Alexis Perez
December 06, 2022   https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : xfce4-settings
CVE ID : CVE-2022-45062
Debian Bug : 1023732

Robin Peraglie and Johannes Moritz discovered an argument injection bug in the
xfce4-mime-helper component of xfce4-settings, which can be exploited using the
xdg-open common tool. Since xdg-open is used by multiple standard applications
for opening links, this bug could be exploited by an attacker to run arbitrary
code on an user machine by providing a malicious PDF file with specifically
crafted links.

For the stable distribution (bullseye), this problem has been fixed in
version 4.16.0-1+deb11u1.

We recommend that you upgrade your xfce4-settings packages.

For the detailed security status of xfce4-settings please refer to
its security tracker page at:
  https://security-tracker.debian.org/tracker/xfce4-settings

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at:   https://www.debian.org/security/