Ubuntu

Possible string format attack

Reported by Emilio Pozuelo Monfort on 2008-12-05
254
Affects Status Importance Assigned to Milestone
vinagre (Ubuntu)
High
Emilio Pozuelo Monfort
Hardy
High
Emilio Pozuelo Monfort
Intrepid
High
Emilio Pozuelo Monfort

Bug Description

Binary package hint: vinagre

There's a security issue in Vinagre, where a user could cause a string format attack.

These are the relevant upstream commits:
http://svn.gnome.org/viewvc/vinagre?view=revision&revision=528 (for hardy)
http://svn.gnome.org/viewvc/vinagre?view=revision&revision=525 (for intrepid and jaunty)

The problem is in src/vinagre-utils.c @ vinagre_utils_show_error, which is used in vinagre-commands.c @ vinagre_cmd_machine_open via vinagre_utils_show_many_errors.

The affected releases are Hardy, Intrepid and Jaunty.

Thanks Kees and James for your help!

Changed in vinagre:
importance: Undecided → High
status: New → Triaged
Kees Cook (kees) wrote :

Reproducer, from the command-line: vinagre %n
Segv on hardy, fortify-abort on intrepid (and jaunty).

Emilio Pozuelo Monfort (pochu) wrote :

Hardy debdiff. No regressions found, and patch fixes the sigsegv.

Changed in vinagre:
assignee: nobody → pochu
importance: Undecided → High
status: New → Triaged
Emilio Pozuelo Monfort (pochu) wrote :

Let's close this bug report and mention it's a "SECURITY UPDATE" in debian/changelog.

Emilio Pozuelo Monfort (pochu) wrote :

Intrepid debdiff. I've verified it fixes the bug and I've checked for regressions connecting to a vino server in localhost without any issues.

I did the same tests for the Hardy update.

Changed in vinagre:
assignee: nobody → pochu
assignee: nobody → pochu
importance: Undecided → High
status: New → Triaged
Kees Cook (kees) wrote :

Thanks for preparing and testing these updates! Hardy and Intrepid are building in the security queue now.

Changed in vinagre:
status: Triaged → Fix Committed
status: Triaged → Fix Committed
Emilio Pozuelo Monfort (pochu) wrote :

This debdiff merges Vinagre with Debian. Targeted to Jaunty.

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package vinagre - 2.24.2-1ubuntu1

---------------
vinagre (2.24.2-1ubuntu1) jaunty; urgency=low

  * Merge from Debian unstable, remaining changes:
    - Launchpad integration.
  * The new upstream release fixes a security exploit (lp: #305623).

vinagre (2.24.2-1) experimental; urgency=high

  * New upstream release with a security fix.
    - Update build dependencies.
  * Update Vcs-* headers.

 -- Emilio Pozuelo Monfort <email address hidden> Sat, 06 Dec 2008 23:21:11 +0100

Changed in vinagre:
status: Triaged → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package vinagre - 2.24.1-0ubuntu1.1

---------------
vinagre (2.24.1-0ubuntu1.1) intrepid-security; urgency=low

  * SECURITY UPDATE: string format attack via arguments to the command
    line call. LP: #305623.
  * debian/patches/01_fix_string_format_attack.patch:
    - Format the printf message.

 -- Emilio Pozuelo Monfort <email address hidden> Sat, 06 Dec 2008 01:10:46 +0100

Changed in vinagre:
status: Fix Committed → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package vinagre - 0.5.1-0ubuntu1.1

---------------
vinagre (0.5.1-0ubuntu1.1) hardy-security; urgency=low

  * SECURITY UPDATE: string format attack via arguments to the command
    line call. LP: #305623.
  * debian/rules: add simple-patchsys.
  * debian/patches/01_fix_format_string_attack.patch:
    - Format the printf message.

 -- Emilio Pozuelo Monfort <email address hidden> Sat, 06 Dec 2008 00:40:54 +0100

Changed in vinagre:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers