Mitigate Baron SameEdit (CVE-2021-3156) vulnerability

fedora 23
shell weakness #6

4

Weakness Breakdown


Definition:

A shell weakness occurs when a program enables an attacker to execute unexpected commands on the operating system.

Warning code(s):

This causes a new program to execute and is difficult to use safely.

File Name:

ardour-2.8.16/gtk2_ardour/nag.cc

Context:

The highlighted line of code below is the trigger point of this particular Fedora 23 shell weakness.

 
	if (open_uri (uri)) {
		mark_subscriber ();
	}
}

bool
NagScreen::open_uri (const char* uri)
{
#ifndef __APPLE__
	EnvironmentalProtectionAgency* global_epa = EnvironmentalProtectionAgency::get_global_epa ();
	boost::scoped_ptr<EnvironmentalProtectionAgency> current_epa;

	/* revert all environment settings back to whatever they were when ardour started
	 */

	if (global_epa) {
			current_epa.reset (new EnvironmentalProtectionAgency(true)); /* will restore settings when we leave scope */
			global_epa->restore ();
	}

	std::string command = "xdg-open ";
	command += uri;
	command += " &";
	system (command.c_str());

	return true;
#else
	extern bool cocoa_open_url (const char*);
	return cocoa_open_url (uri);
#endif
} 

The registered trademark Linux® is used pursuant to a sublicense from the Linux Foundation, the exclusive licensee of Linus Torvalds, owner of the mark on a world­wide basis.