Bug 96991 - app-office/abiword: format string vulnerability
|
Bug#:
96991
|
Product: Gentoo Security
|
Version: unspecified
|
Platform: All
|
|
OS/Version: Other
|
Status: RESOLVED
|
Severity: normal
|
Priority: P2
|
|
Resolution: FIXED
|
Assigned To: security@gentoo.org
|
Reported By: taviso@gentoo.org
|
|
Component: Vulnerabilities
|
|
|
URL:
|
|
Summary: app-office/abiword: format string vulnerability
|
|
Keywords:
|
|
Status Whiteboard: C2? [noglsa] jaervosz
|
|
Opened: 2005-06-24 16:13 0000
|
libaudit noticed a format string vulnerability in abiword:
Jun 24 23:47:00 insomniac abiword-2.2: warn: non-literal format string contains no specifiers: vsprintf(0x88ed868, "Save changes to document Statement.abw before closing?");
Of questionable security impact, a user would have to open, modify and then attempt to exit abiword with a very dodgy looking filename, but it should be fixed nonetheless.
suggested fix, around line 761 of abi/src/af/xap/xp/xap_Frame.cpp
- pDialog->setMessage(szNewMessage);
+ pDialog->setMessage("%s", szNewMessage);
testcase would be saving a file called foo%.500x%n%n%n%n%nbar.abw or something,
modifying the file, then attempting to exit without saving.
Thx Tavis, has upstream been notified?
upstream report the issue has now been fixed in their cvs repository
Gnome team: feel like patching ? Or wait for a new release ?
patching would be fine by me, but i have zero time this week so won't get
around
to it anytime soon. If any of the security folk care to do it ?
Tavis, feel like pushing the patch in ? Anyone else in Gnome herd ?
All 3 builds have been revbumped and patched. old ( non rev bumped ) ebuilds
w/o the patch were removed.
Hmm, let's rather vote... It's a quite complicated path to social engineer
(especially the "quit without saving" part).
