96991 – app-office/abiword: format string vulnerability

Bug 96991 - app-office/abiword: format string vulnerability

Summary: app-office/abiword: format string vulnerability

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Other

Importance:	High normal (vote)
Assignee:	Gentoo Security

URL:
Whiteboard:	C2? [noglsa] jaervosz
Keywords:

Depends on:
Blocks:

Reported:	2005-06-24 16:13 UTC by Tavis Ormandy (RETIRED)
Modified:	2005-07-04 02:48 UTC (History)
CC List:	1 user (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Tavis Ormandy (RETIRED) gentoo-dev

2005-06-24 16:13:36 UTC

libaudit noticed a format string vulnerability in abiword:

Jun 24 23:47:00 insomniac abiword-2.2: warn: non-literal format string contains no specifiers: vsprintf(0x88ed868, "Save changes to document Statement.abw before closing?");

Of questionable security impact, a user would have to open, modify and then attempt to exit abiword with a very dodgy looking filename, but it should be fixed nonetheless.

suggested fix, around line 761 of abi/src/af/xap/xp/xap_Frame.cpp

-       pDialog->setMessage(szNewMessage);
+       pDialog->setMessage("%s", szNewMessage);

Comment 1 Tavis Ormandy (RETIRED) gentoo-dev

2005-06-24 16:15:12 UTC

testcase would be saving a file called foo%.500x%n%n%n%n%nbar.abw or something, 
modifying the file, then attempting to exit without saving.

Comment 2 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2005-06-24 23:53:24 UTC

Thx Tavis, has upstream been notified?

Comment 3 Tavis Ormandy (RETIRED) gentoo-dev

2005-06-25 02:05:00 UTC

They have now :) http://bugzilla.abisource.com/show_bug.cgi?id=9201

Comment 4 Tavis Ormandy (RETIRED) gentoo-dev

2005-06-26 03:55:08 UTC

upstream report the issue has now been fixed in their cvs repository

Comment 5 Thierry Carrez (RETIRED) gentoo-dev

2005-06-26 11:39:14 UTC

Gnome team: feel like patching ? Or wait for a new release ?

Comment 6 foser (RETIRED) gentoo-dev

2005-06-27 05:16:21 UTC

patching would be fine by me, but i have zero time this week so won't get around
to it anytime soon. If any of the security folk care to do it ?

Comment 7 Thierry Carrez (RETIRED) gentoo-dev

2005-07-03 09:53:05 UTC

Tavis, feel like pushing the patch in ? Anyone else in Gnome herd ?

Comment 8 John N. Laliberte (RETIRED) gentoo-dev

2005-07-03 13:31:00 UTC

All 3 builds have been revbumped and patched.  old ( non rev bumped ) ebuilds
w/o the patch were removed.

Comment 9 Thierry Carrez (RETIRED) gentoo-dev

2005-07-04 00:30:29 UTC

Ready for GLSA

Comment 10 Thierry Carrez (RETIRED) gentoo-dev

2005-07-04 00:32:39 UTC

Hmm, let's rather vote... It's a quite complicated path to social engineer
(especially the "quit without saving" part).

Comment 11 Tavis Ormandy (RETIRED) gentoo-dev

2005-07-04 01:22:04 UTC

I would vote a weak NO.

Comment 12 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2005-07-04 02:42:28 UTC

I vote NO.

Comment 13 Thierry Carrez (RETIRED) gentoo-dev

2005-07-04 02:48:55 UTC

Voting no too -> closing