From SecurityFocus.com: gEdit is prone to a format string vulnerability. Exploitation may occur when the program is invoked with a filename that includes malicious format specifiers. This issue could be exploited to corrupt arbitrary regions of memory with attacker-supplied data, potentially resulting in execution of arbitrary code in the context of the user running the program. An example for an exploit: bash-2.05b#cat fmtexp.c #include <stdio.h> int main() { printf("hah gedit\n"); } bash-2.05b#gcc -o fk fmtexp.c bash-2.05b#mv fk AA%n%n%n.c bash-2.05b#gedit AA%n%n%n.c Reproducible: Always Steps to Reproduce:
vulnerable: GNOME gEdit 2.0.2 GNOME gEdit 2.2.0 GNOME gEdit 2.10.2 ------------------ There is the 2.10.2 in portage which is masked
Pulling in gnome team. Is there something upstream ion this (very recent) issue ?
Just had a talk with Paolo Borelli on irc.gnome.org's #gedit. They know about it, but thought it was not public yet. I guess they will release a fix soon, once they fix an apparent mix-up with RedHat security.
Upstream is back from GUADEC and should post a new gedit soon. Note that this requires a user to open a very strange-looking filename with gedit, and not sure it can easily be automated using email or web browsing.
evolution offers the possibility to open attachements with an appropriate application, so for text files that might be gedit.
added gedit-2.10.3 which according to the changelog has the fix for this, marked stable x86.
foser: many thx I guess we should also backport the one-line patch to 2.8.x for the other arches because moving them to 2.10.x might not be an easy option ? I'll try to isolate the patch, Paolo Borelli told me it should be quite simple to backport.
Hmm, not that simple. The patch is in 4 different files and the file names changed ffrom 2.8 to 2.10 apparently... http://cvs.gnome.org/viewcvs/gedit/gedit/ChangeLog?r1=1.764&r2=1.765&sortby=date foser: what are our options ? I guess gedit-2.10 can't run on gnome 2.8 ?
Created attachment 60972 [details, diff] 10_debian_format-string-vulnerabilities.patch Patch from Ubuntu's release
foser: the above patch applies cleanly to 2.8.3 To make it easier for other arches than x86, could you bump gedit-2.8.3 with that patch ?
I didn't apply it to 2.8 because 2.10.3 doesn't need any of the 2.10 libs besides gtksourceview which is a safe upgrade as well. So my suggestion is to just have all arches update to 2.10.3 gedit, which is long overdue anyway. But if you really want it in 2.8 anyway, just let me know.
Arches: please test and mark stable, see above comment.
Stable on ppc.
stable on amd64
hppa/ia64 stable
stable on ppc64
Alpha stable.
GLSA 200506-09 mips: remember to mark stable to benefit from GLSA
Stable on mips.