CVE-2024-42029: 
Linux Fedora vulnerability analysis and mitigation

xdg-desktop-portal-hyprland (a XDG Desktop Portal backend for Hyprland) before version 1.3.3 contains a critical OS command execution vulnerability. The vulnerability exists because single quotes are not used when sending a list of app IDs and titles via the environment, potentially allowing arbitrary command execution (NVD).

The vulnerability is classified as an OS Command Injection (CWE-78) with a CVSS 3.1 Base Score of 6.3 MEDIUM (Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L). The issue specifically relates to improper neutralization of special elements used in OS commands, where the application fails to properly sanitize environment variables and paths from user data (NVD, GitHub Commit).

The vulnerability could allow attackers to execute arbitrary OS commands through the application. In one reported incident, the vulnerability led to the deletion of almost all non-hidden files in a user's home directory (GitHub Issue).

Users are strongly advised to update to xdg-desktop-portal-hyprland version 1.3.3 or later, which includes an emergency security fix that properly sanitizes environment and paths from user data. The update also includes fixes for compilation with newer pw versions and requires pipewire version >= 1.1.82 (GitHub Release).

The release of version 1.3.3 was marked as an emergency security update by the developers, emphasizing the critical nature of the vulnerability. The GitHub release received significant community attention with 24 reactions, including 19 thumbs up, indicating strong community awareness and support for the security fix (GitHub Release).