Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 201292

Summary: xfce-base/libxfcegui4 < 4.4.2: possible double free(), format string (CVE-2007-6532)
Product: Gentoo Security Reporter: Christian Hoffmann (RETIRED) <hoffie>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: nightmorph, xfce
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://www.xfce.org/documentation/changelogs/4.4.2
Whiteboard: B2 [glsa]
Package list:
Runtime testing required: ---
Bug Depends on: 201747    
Bug Blocks:    

Description Christian Hoffmann (RETIRED) gentoo-dev 2007-12-04 22:36:37 UTC 
Upstream changelog for version 4.4.2 lists:
  # Allocate copy of passed cliend id, program name and working directory in
    session management, in case the application frees the data.
  # Properly deal with %-starting 'field codes' in commands from .desktop files.

Not sure if those are vulnerabilities at all, I'm not that familiar with XFCE code. Better safe than sorry, I'd say. ;)
Don't have any further details here either.
Comment 1 Christian Hoffmann (RETIRED) gentoo-dev 2007-12-04 22:53:13 UTC 
Bleh, sorry for the bug spam. Getting the summary right is hard. ;)
It was wrong before, should be better now, but I'm still not sure.
Comment 2 Lubomir Rintel 2007-12-05 20:06:43 UTC 
First issue, libxfce4gui:

4.4: http://svn.xfce.org/index.cgi/xfce4/revision?rev=25554
trunk: http://svn.xfce.org/index.cgi/xfce4/revision?rev=25555
Comment 3 Lubomir Rintel 2007-12-05 20:12:31 UTC 
The "%" one:

4.4: http://svn.xfce.org/index.cgi/xfce4/revision/?rev=25677
Comment 4 Pierre-Yves Rofes (RETIRED) gentoo-dev 2007-12-08 23:45:44 UTC 
xfce: ok for 4.4.2 going stable?
Comment 5 Samuli Suominen (RETIRED) gentoo-dev 2007-12-09 09:02:49 UTC 
(In reply to comment #4)
> xfce: ok for 4.4.2 going stable?
> 

bug 201747
Comment 6 Robert Buchholz (RETIRED) gentoo-dev 2007-12-22 13:21:58 UTC 
All but MIPS stable on bug 201747, setting GLSA.
Comment 7 Robert Buchholz (RETIRED) gentoo-dev 2007-12-22 15:44:29 UTC 
The % issue is not a security problem, as it only means that %U and other strings do not get removed from Exec calls in .desktop files.
Comment 8 Robert Buchholz (RETIRED) gentoo-dev 2008-01-08 22:10:39 UTC 
CVE-2007-6532 was assigned to the double free.
Comment 9 Robert Buchholz (RETIRED) gentoo-dev 2008-01-09 23:31:20 UTC 
GLSA 200801-06
Comment 10 nm (RETIRED) gentoo-dev 2008-01-10 06:22:42 UTC 
(In reply to comment #9)
> GLSA 200801-06
> 

. . . I know the GLEP was already sent and posted to the forums, but you should be aware that I finally removed the Upgrading section last month, as 4.2 was removed from Portage a looooooong time ago. Even 4.4 and 4.4.1 have been removed from the tree. Anyway, the upgrade path outlined in the guide no longer exists; drac had been doing many ebuild changes so that it would have required different procedures.

Users will have to visit CVS[1] to see the last version of the guide with that chapter.

[1] http://sources.gentoo.org/viewcvs.py/gentoo/xml/htdocs/doc/en/xfce-config.xml?rev=1.14&view=markup
Comment 11 Robert Buchholz (RETIRED) gentoo-dev 2008-01-10 11:09:26 UTC 
Thanks for pointing that out, I removed the reference.