Summary: | app-editors/gedit Filename Format String Vulnerability | ||||||
---|---|---|---|---|---|---|---|
Product: | Gentoo Security | Reporter: | Adir Abraham <adirab> | ||||
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> | ||||
Status: | RESOLVED FIXED | ||||||
Severity: | major | CC: | gnome | ||||
Priority: | High | ||||||
Version: | unspecified | ||||||
Hardware: | All | ||||||
OS: | Linux | ||||||
URL: | http://www.securityfocus.com/bid/13699 | ||||||
Whiteboard: | A2 [glsa] | ||||||
Package list: | Runtime testing required: | --- | |||||
Attachments: |
|
Description
Adir Abraham
2005-05-20 11:28:55 UTC
vulnerable: GNOME gEdit 2.0.2 GNOME gEdit 2.2.0 GNOME gEdit 2.10.2 ------------------ There is the 2.10.2 in portage which is masked Pulling in gnome team. Is there something upstream ion this (very recent) issue ? Just had a talk with Paolo Borelli on irc.gnome.org's #gedit. They know about it, but thought it was not public yet. I guess they will release a fix soon, once they fix an apparent mix-up with RedHat security. Upstream is back from GUADEC and should post a new gedit soon. Note that this requires a user to open a very strange-looking filename with gedit, and not sure it can easily be automated using email or web browsing. evolution offers the possibility to open attachements with an appropriate application, so for text files that might be gedit. added gedit-2.10.3 which according to the changelog has the fix for this, marked stable x86. foser: many thx I guess we should also backport the one-line patch to 2.8.x for the other arches because moving them to 2.10.x might not be an easy option ? I'll try to isolate the patch, Paolo Borelli told me it should be quite simple to backport. Hmm, not that simple. The patch is in 4 different files and the file names changed ffrom 2.8 to 2.10 apparently... http://cvs.gnome.org/viewcvs/gedit/gedit/ChangeLog?r1=1.764&r2=1.765&sortby=date foser: what are our options ? I guess gedit-2.10 can't run on gnome 2.8 ? Created attachment 60972 [details, diff]
10_debian_format-string-vulnerabilities.patch
Patch from Ubuntu's release
foser: the above patch applies cleanly to 2.8.3 To make it easier for other arches than x86, could you bump gedit-2.8.3 with that patch ? I didn't apply it to 2.8 because 2.10.3 doesn't need any of the 2.10 libs besides gtksourceview which is a safe upgrade as well. So my suggestion is to just have all arches update to 2.10.3 gedit, which is long overdue anyway. But if you really want it in 2.8 anyway, just let me know. Arches: please test and mark stable, see above comment. Stable on ppc. stable on amd64 hppa/ia64 stable stable on ppc64 Alpha stable. GLSA 200506-09 mips: remember to mark stable to benefit from GLSA Stable on mips. |