114583 – kde-base/{kdewebdev,kxsldbg}-<3.5.0: format string vulnerability

Bug 114583 - kde-base/{kdewebdev,kxsldbg}-<3.5.0: format string vulnerability

Summary: kde-base/{kdewebdev,kxsldbg}-<3.5.0: format string vulnerability

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	High normal (vote)
Assignee:	Gentoo Security

URL:
Whiteboard:	B2? [noglsa] jaervosz
Keywords:

Depends on:
Blocks:

Reported:	2005-12-05 17:19 UTC by Carsten Lohrke (RETIRED)
Modified:	2019-12-09 20:37 UTC (History)
CC List:	0 users

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Carsten Lohrke (RETIRED) gentoo-dev

2005-12-05 17:19:45 UTC

--- ./kxsldbg/kxsldbgpart/libxsldbg/file_cmds.cpp.orig  2005-12-04
11:02:02.000000000 +0100
+++ ./kxsldbg/kxsldbgpart/libxsldbg/file_cmds.cpp       2005-12-04
11:04:00.000000000 +0100
@@ -175,7 +175,7 @@
         } else {
            xsldbgGenericErrorFunc(i18n("PublicID \"%1\" was not found in
current catalog.\n").arg(xsldbgText(arg)));
         }
-        xsltGenericError(xsltGenericErrorContext, buffer);
+        xsltGenericError(xsltGenericErrorContext, "%s", buffer);
     }
     return result;
 }

Comment 1 Carsten Lohrke (RETIRED) gentoo-dev

2005-12-05 17:30:59 UTC

Here we go...

<<< kxsldbg-3.4.3-r1.ebuild
<<< kdewebdev-3.4.3-r1.ebuild

Comment 2 Michael Hanselmann (hansmi) (RETIRED) gentoo-dev

2005-12-06 13:50:50 UTC

ppc and hppa done.

Comment 3 Gustavo Zacarias (RETIRED) gentoo-dev

2005-12-07 05:25:31 UTC

sparc stable.

Comment 4 Marcus D. Hanwell (RETIRED) gentoo-dev

2005-12-07 11:55:15 UTC

Stable on amd64.

Comment 5 Mark Loeser (RETIRED) gentoo-dev

2005-12-07 14:09:34 UTC

x86 needs this backported to 3.4.1 as we don't have 3.4.3 stable yet.  cpw is
still trying to work out the remaining issues before we mark KDE-3.4.3 stable.

Comment 6 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2005-12-07 22:44:22 UTC

Carlo we need it backported as per above comment.

Comment 7 Carsten Lohrke (RETIRED) gentoo-dev

2005-12-08 05:10:12 UTC

(In reply to comment #6)
> Carlo we need it backported as per above comment. 

It is. I thought a comment in one bug suffices.

Comment 8 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2005-12-08 06:13:22 UTC

Thx Carlo. Unless otherwise noted one comment applies to one bug for me:-) 
 
Back to stable marking.

Comment 9 Mark Loeser (RETIRED) gentoo-dev

2005-12-10 00:01:57 UTC

x86 done

Comment 10 Jose Luis Rivero (yoswink) (RETIRED) gentoo-dev

2005-12-10 09:58:39 UTC

kxsldbg-3.4.1-r1 and kdewebdev-3.4.1-r1 are stable on alpha.

Thanks to carlo for backporting the patches. This make our life much easier.

Comment 11 Thierry Carrez (RETIRED) gentoo-dev

2005-12-12 03:40:29 UTC

shouldn't ppc64 also mark stable ?

Comment 12 Markus Rothe (RETIRED) gentoo-dev

2005-12-12 11:18:16 UTC

kxsldbg-3.4.1-r1 stable on ppc64. kdewebdev-3.4.x not even ~ppc64.

Comment 13 Thierry Carrez (RETIRED) gentoo-dev

2005-12-13 10:27:46 UTC

ppc64 has kxsldbg-3.4.3 stable so might need to mark 3.4.3-r1 too ?

Comment 14 Markus Rothe (RETIRED) gentoo-dev

2005-12-13 13:11:16 UTC

yes, you are right. my misstake. kxsldbg-3.4.3-r1 is stable on ppc64 now.

Comment 15 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2005-12-14 04:24:33 UTC

Should we do a GLSA on this one? I see no other advisories, not even from KDE.

Comment 16 Thierry Carrez (RETIRED) gentoo-dev

2005-12-14 05:00:14 UTC

The exploit path is a little weird. Probably takes a malicious XSL file to be
imported ? I tend to vote yes nevertheless, but I would welcome input from the
reporter (Carsten ?).

Comment 17 Thierry Carrez (RETIRED) gentoo-dev

2005-12-14 05:17:47 UTC

Based on draft comment, I revert to 1/2 NO

Comment 18 Carsten Lohrke (RETIRED) gentoo-dev

2005-12-14 09:00:12 UTC

(In reply to comment #16)
> The exploit path is a little weird. Probably takes a malicious XSL file to be
> imported ?

Yes. I pushed it to you, since this is the Gentoo way for this sort of bugs, but
it's highly unlikely that you grab such a xsl file and process it with kxsldbg.
In KDE svn the KDE 3.4 branch wasn't even fixed, I'm pretty sure there won't be
an announcment and don't think we need one either.

Comment 19 Thierry Carrez (RETIRED) gentoo-dev

2005-12-14 10:02:41 UTC

Heh, full NO from me then. Another NO voter can close this one as FIXED/noglsa

Comment 20 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2005-12-14 13:30:06 UTC

NO