Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 201292 - xfce-base/libxfcegui4 < 4.4.2: possible double free(), format string (CVE-2007-6532)
Summary: xfce-base/libxfcegui4 < 4.4.2: possible double free(), format string (CVE-200...
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Security
Whiteboard: B2 [glsa]
Depends on: 201747
  Show dependency tree
Reported: 2007-12-04 22:36 UTC by Christian Hoffmann (RETIRED)
Modified: 2008-01-10 11:09 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Christian Hoffmann (RETIRED) gentoo-dev 2007-12-04 22:36:37 UTC
Upstream changelog for version 4.4.2 lists:
  # Allocate copy of passed cliend id, program name and working directory in
    session management, in case the application frees the data.
  # Properly deal with %-starting 'field codes' in commands from .desktop files.

Not sure if those are vulnerabilities at all, I'm not that familiar with XFCE code. Better safe than sorry, I'd say. ;)
Don't have any further details here either.
Comment 1 Christian Hoffmann (RETIRED) gentoo-dev 2007-12-04 22:53:13 UTC
Bleh, sorry for the bug spam. Getting the summary right is hard. ;)
It was wrong before, should be better now, but I'm still not sure.
Comment 2 Lubomir Rintel 2007-12-05 20:06:43 UTC
First issue, libxfce4gui:

Comment 3 Lubomir Rintel 2007-12-05 20:12:31 UTC
The "%" one:

Comment 4 Pierre-Yves Rofes (RETIRED) gentoo-dev 2007-12-08 23:45:44 UTC
xfce: ok for 4.4.2 going stable?
Comment 5 Samuli Suominen (RETIRED) gentoo-dev 2007-12-09 09:02:49 UTC
(In reply to comment #4)
> xfce: ok for 4.4.2 going stable?

bug 201747
Comment 6 Robert Buchholz (RETIRED) gentoo-dev 2007-12-22 13:21:58 UTC
All but MIPS stable on bug 201747, setting GLSA.
Comment 7 Robert Buchholz (RETIRED) gentoo-dev 2007-12-22 15:44:29 UTC
The % issue is not a security problem, as it only means that %U and other strings do not get removed from Exec calls in .desktop files.
Comment 8 Robert Buchholz (RETIRED) gentoo-dev 2008-01-08 22:10:39 UTC
CVE-2007-6532 was assigned to the double free.
Comment 9 Robert Buchholz (RETIRED) gentoo-dev 2008-01-09 23:31:20 UTC
GLSA 200801-06
Comment 10 nm (RETIRED) gentoo-dev 2008-01-10 06:22:42 UTC
(In reply to comment #9)
> GLSA 200801-06

. . . I know the GLEP was already sent and posted to the forums, but you should be aware that I finally removed the Upgrading section last month, as 4.2 was removed from Portage a looooooong time ago. Even 4.4 and 4.4.1 have been removed from the tree. Anyway, the upgrade path outlined in the guide no longer exists; drac had been doing many ebuild changes so that it would have required different procedures.

Users will have to visit CVS[1] to see the last version of the guide with that chapter.

Comment 11 Robert Buchholz (RETIRED) gentoo-dev 2008-01-10 11:09:26 UTC
Thanks for pointing that out, I removed the reference.