First Last Prev Next    No search results available      Search page      Enter new bug
Bug#: 96991
Alias:
Product:
Component:
Status: RESOLVED
Resolution: FIXED
Assigned To: Gentoo Security <security@gentoo.org>
Hardware:
OS:
Version:
Priority:
Severity:
Reporter: Tavis Ormandy (RETIRED) <taviso@gentoo.org>
Add CC:
CC:
Remove selected CCs
URL:
Summary:
Status Whiteboard:
Keywords:
Flags: Requestee:
 
 
  ()

Filename Description Type Creator Created Size Actions
Create a New Attachment (proposed patch, testcase, etc.) View All

Bug 96991 depends on: Show dependency tree
Show dependency graph
Bug 96991 blocks:

Additional Comments: (this is where you put emerge --info)







View Bug Activity   |   Format For Printing   |   XML   |   Clone This Bug

Description:   Opened: 2005-06-24 16:13 0000 
libaudit noticed a format string vulnerability in abiword:

Jun 24 23:47:00 insomniac abiword-2.2: warn: non-literal format string contains no specifiers: vsprintf(0x88ed868, "Save changes to document Statement.abw before closing?");

Of questionable security impact, a user would have to open, modify and then attempt to exit abiword with a very dodgy looking filename, but it should be fixed nonetheless.

suggested fix, around line 761 of abi/src/af/xap/xp/xap_Frame.cpp

-       pDialog->setMessage(szNewMessage);
+       pDialog->setMessage("%s", szNewMessage);

------- Comment #1 From Tavis Ormandy (RETIRED) 2005-06-24 16:15:12 0000 ------- 
testcase would be saving a file called foo%.500x%n%n%n%n%nbar.abw or something, 
modifying the file, then attempting to exit without saving.

------- Comment #2 From Sune Kloppenborg Jeppesen 2005-06-24 23:53:24 0000 ------- 
Thx Tavis, has upstream been notified?

------- Comment #3 From Tavis Ormandy (RETIRED) 2005-06-25 02:05:00 0000 ------- 
They have now :) http://bugzilla.abisource.com/show_bug.cgi?id=9201

------- Comment #4 From Tavis Ormandy (RETIRED) 2005-06-26 03:55:08 0000 ------- 
upstream report the issue has now been fixed in their cvs repository

------- Comment #5 From Thierry Carrez (RETIRED) 2005-06-26 11:39:14 0000 ------- 
Gnome team: feel like patching ? Or wait for a new release ?

------- Comment #6 From foser (RETIRED) 2005-06-27 05:16:21 0000 ------- 
patching would be fine by me, but i have zero time this week so won't get
around
to it anytime soon. If any of the security folk care to do it ?

------- Comment #7 From Thierry Carrez (RETIRED) 2005-07-03 09:53:05 0000 ------- 
Tavis, feel like pushing the patch in ? Anyone else in Gnome herd ?

------- Comment #8 From John N. Laliberte (RETIRED) 2005-07-03 13:31:00 0000 ------- 
All 3 builds have been revbumped and patched.  old ( non rev bumped ) ebuilds
w/o the patch were removed.

------- Comment #9 From Thierry Carrez (RETIRED) 2005-07-04 00:30:29 0000 ------- 
Ready for GLSA

------- Comment #10 From Thierry Carrez (RETIRED) 2005-07-04 00:32:39 0000 ------- 
Hmm, let's rather vote... It's a quite complicated path to social engineer
(especially the "quit without saving" part).

------- Comment #11 From Tavis Ormandy (RETIRED) 2005-07-04 01:22:04 0000 ------- 
I would vote a weak NO.

------- Comment #12 From Sune Kloppenborg Jeppesen 2005-07-04 02:42:28 0000 ------- 
I vote NO.

------- Comment #13 From Thierry Carrez (RETIRED) 2005-07-04 02:48:55 0000 ------- 
Voting no too -> closing
First Last Prev Next    No search results available      Search page      Enter new bug