Remotely-exploitable missing-format-string vulnerability in some message dialogue boxes

Bug #907 reported by Jorge Bernal on 2005-06-03
4
Affects Status Importance Assigned to Milestone
gxine (Ubuntu)
High
Jorge Bernal

Bug Description

Exworm discovered that gxine insecurely implements formatted printing
in the hostname decoding function.

A remote attacker could entice a user to open a carefully crafted file
with gxine, possibly leading to the execution of arbitrary code.

Description
===========

Exworm discovered that gxine insecurely implements formatted printing
in the hostname decoding function.

Impact
======

A remote attacker could entice a user to open a carefully crafted file
with gxine, possibly leading to the execution of arbitrary code.

diff -u gxine-0.4.1/debian/changelog gxine-0.4.1/debian/changelog
--- gxine-0.4.1/debian/changelog
+++ gxine-0.4.1/debian/changelog
@@ -1,3 +1,13 @@
+gxine (0.4.1-1ubuntu0.1) hoary-security; urgency=high
+
+ * SECURITY UPDATE: fix remotely exploitable missing format string.
+ * src/utils.c: use format string to avoid arbitrary code execution.
+ * References:
+ CAN-2005-1692
+ http://bugs.debian.org/310712
+
+ -- Jorge Bernal <email address hidden> Sat, 4 Jun 2005 01:01:01 +0200
+
 gxine (0.4.1-1) unstable; urgency=high

   * New upstream release.
only in patch2:
unchanged:
--- gxine-0.4.1.orig/src/utils.c
+++ gxine-0.4.1/src/utils.c
@@ -159,7 +159,7 @@
   va_end (ap);

   dialog = gtk_message_dialog_new (NULL, GTK_DIALOG_DESTROY_WITH_PARENT, type,
- GTK_BUTTONS_CLOSE, msg);
+ GTK_BUTTONS_CLOSE, "%s", msg);
   gtk_window_set_title (GTK_WINDOW (dialog), title);
   gtk_window_set_position (GTK_WINDOW (dialog), GTK_WIN_POS_CENTER);

summary: - Description
- ===========
-
Exworm discovered that gxine insecurely implements formatted printing
in the hostname decoding function.

- Impact
- ======
-
A remote attacker could entice a user to open a carefully crafted file
with gxine, possibly leading to the execution of arbitrary code.
Changed in gxine:
assignee: nobody → koke
status: New → Accepted
Jorge Bernal (koke) on 2005-08-10
Changed in gxine:
status: Accepted → Fixed
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.