format string vulnerabilty
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Yelp |
New
|
Undecided
|
Unassigned | ||
yelp (Ubuntu) |
Fix Released
|
Medium
|
Kees Cook | ||
Gutsy |
Fix Released
|
Medium
|
Kees Cook | ||
Hardy |
Fix Released
|
Medium
|
Kees Cook |
Bug Description
Binary package hint: yelp
Gnome's help program "yelp" is affected by a classic format string vulnerability
when reporting an invalid URI using a gtk_message_dialog. The function gtk_message_
is called without a format string.
Details:
--------
After specifying an invalid URI, using ftp:// or file:// (or even no URI handler at all!)
An error message saying "The requested URI %s is invalid" is created using on line 1008 of yelp-window.c which
passes the gchar string into the window_error function located at 1129 of the same file.
The GTK dialog box is then created insecurely by *not* using a format string at line 1156 of yelp-window.c.
The function prototype for gtk_message_
void gtk_message_
where message_format is a "printf()-style markup string".
see: http://
Incorrect/
http://
You can see the code was changed "cleaned up" from properly using a format string, to its removal here:
http://
PoC:
----
yelp ftp://%
yelp %x%x%x%x%x%x://
yelp %08x%08x
Impact:
------
Because of yelp's network capability, this vulnerably may be remotely exploitable via minimal user-assistance in Firefox, Evolution and other programs with the 'man' or 'ghelp' URIs registered. Evolution will prompt the user for confirmation (which displays the program and arguments) but sadly Firefox 3.0 does not allow for preview of the arguments being passed. (I think all arguments being passed to applications via Firefox or whatever program should be displayed.
This seems like a regression in security from Firefox 2)
This vulnerability could be exploited to execute arbitrary code with the user's privileges and possible user-assisted execution of arbitrary code by clicking on a malicious link.
Effected Versions:
---------
All newer than 2.19.90
Fix:
----------
Patch the function call to use a format string per GTK+ documentation.
Similar to the properly used call gtk_message_
at line 581 of yelp-print.c
-Aaron Grattafiori
Related branches
CVE References
description: | updated |
Changed in yelp: | |
assignee: | nobody → kees |
status: | New → Fix Committed |
assignee: | nobody → kees |
importance: | Undecided → Low |
status: | New → Fix Committed |
importance: | Low → Medium |
importance: | Undecided → Medium |
Thanks for the report. I've confirmed the problem, and we will start the process of assigning a CVE, and coordinating with upstream to get a fix out to all the distros.