CVE-2018-18398

Xfce Thunar 1.6.15, when Xfce 4.12 is used, mishandles the IBus-Unikey input method for file searches within File Manager, leading to an out-of-bounds read and SEGV. This could potentially be exploited by an arbitrary local user who creates files in /tmp before the victim uses this input method.

References

https://0xd0ff9.wordpress.com/2018/10/18/cve-2018-18398/

Affected packages

Git / github.com/xfce-mirror/thunar

Affected ranges

Type

GIT

Repo

https://github.com/xfce-mirror/thunar

Events

Introduced

Fixed

dd18b985e0e42bfda9d7278351522fc3c64ad495

Database specific

{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "1.6.15"
        }
    ]
}

Affected versions

thunar-0.*

thunar-0.3.0beta1

thunar-0.3.2beta2

thunar-0.9.0

thunar-0.9.80

thunar-0.9.91

thunar-0.9.92

thunar-0.9.93

thunar-0.9.99.1

thunar-1.*

thunar-1.0.1

thunar-1.1.0

thunar-1.1.1

thunar-1.1.2

thunar-1.1.3

thunar-1.1.4

thunar-1.1.5

thunar-1.1.6

thunar-1.2.0

thunar-1.3.0

thunar-1.3.1

thunar-1.3.2

thunar-1.4.0

thunar-1.5.0

thunar-1.5.1

thunar-1.5.2

thunar-1.5.3

thunar-1.6.0

thunar-1.6.1

thunar-1.6.10

thunar-1.6.11

thunar-1.6.12

thunar-1.6.13

thunar-1.6.14

thunar-1.6.2

thunar-1.6.3

thunar-1.6.4

thunar-1.6.5

thunar-1.6.6

thunar-1.6.7

thunar-1.6.8

thunar-1.6.9

xfce-4.*

xfce-4.4.2

xfce-4.4beta1

xfce-4.4beta2

xfce-4.6alpha

xfce-4.6beta1

xfce-4.6beta2

xfce-4.6beta3

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2018-18398.json"

unresolved_ranges

[
    {
        "events": [
            {
                "introduced": "0"
            },
            {
                "fixed": "4.12"
            }
        ]
    }
]