Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 234079 (CVE-2008-3533) - gnome-extra/yelp <2.22.1-r2 gtk_message_dialog_format_secondary_markup() Format string vulnerability (CVE-2008-3533)
Summary: gnome-extra/yelp <2.22.1-r2 gtk_message_dialog_format_secondary_markup() Form...
Alias: CVE-2008-3533
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Security
Whiteboard: A2/B2 [glsa]
Depends on:
Reported: 2008-08-06 12:07 UTC by Robert Buchholz (RETIRED)
Modified: 2008-09-04 20:12 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---

Proposed patch (yelp-2.22.1-format-string.patch,574 bytes, patch)
2008-08-07 15:11 UTC, Daniel Gryniewicz (RETIRED)
no flags Details | Diff
2.20.0 bump ebuild for most arches (yelp-2.20.0-r1.ebuild,1.69 KB, text/plain)
2008-08-07 15:12 UTC, Daniel Gryniewicz (RETIRED)
no flags Details
2.22.1 bump ebuild for amd64 (yelp-2.22.1-r2.ebuild,2.06 KB, text/plain)
2008-08-07 15:12 UTC, Daniel Gryniewicz (RETIRED)
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Robert Buchholz (RETIRED) gentoo-dev 2008-08-06 12:07:10 UTC
** Please note that this issue is confidential and no information should be
disclosed until it is made public, see "Whiteboard" for a date **

Aaron Grattafiori writes:
Gnome's help program "yelp" is affected by a classic format string vulnerability
when reporting an invalid URI using a gtk_message_dialog. The function gtk_message_dialog_format_secondary_markup()
is called without a format string.

After specifying an invalid URI, using ftp:// or file:// (or even no URI handler at all!)
An error message saying "The requested URI %s is invalid" is created using on line 1008 of yelp-window.c which
passes the gchar string into the window_error function located at 1129 of the same file.
The GTK dialog box is then created insecurely by *not* using a format string at line 1156 of yelp-window.c.

The function prototype for gtk_message_dialog_format_secondary_markup is:
void    gtk_message_dialog_format_secondary_markup (GtkMessageDialog *message_dialog,
                                                         const gchar *message_format,
where message_format is a "printf()-style markup string".
Incorrect/vulnerable usage here:
You can see the code was changed "cleaned up" from properly using a format string, to its removal here:

yelp ftp://%08x.%08x.%08x.%08x.%08x.%08x
yelp %x%x%x%x%x%x://
yelp %08x%08x


Because of yelp's network capability, this vulnerably may be remotely exploitable via minimal user-assistance in Firefox, Evolution and other programs with the 'man' or 'ghelp' URIs registered. Evolution will prompt the user for confirmation (which displays the program and arguments) but sadly Firefox 3.0 does not allow for preview of the arguments being passed. (I think all arguments being passed to applications via Firefox or whatever program should be displayed.
This seems like a regression in security from Firefox 2) 
This vulnerability could be exploited to execute arbitrary code with the user's privileges and possible user-assisted execution of arbitrary code by clicking on a malicious link.

Effected Versions:
All newer than 2.19.90

Patch the function call to use a format string per GTK+ documentation.
Similar to the properly used call gtk_message_dialog_format_secondary_text()
at line 581 of yelp-print.c
Comment 1 Daniel Gryniewicz (RETIRED) gentoo-dev 2008-08-07 15:11:45 UTC
Created attachment 162428 [details, diff]
Proposed patch
Comment 2 Daniel Gryniewicz (RETIRED) gentoo-dev 2008-08-07 15:12:18 UTC
Created attachment 162430 [details]
2.20.0 bump ebuild for most arches
Comment 3 Daniel Gryniewicz (RETIRED) gentoo-dev 2008-08-07 15:12:44 UTC
Created attachment 162431 [details]
2.22.1 bump ebuild for amd64
Comment 4 Daniel Gryniewicz (RETIRED) gentoo-dev 2008-08-07 15:13:56 UTC
Okay, here's a patch, and 2 ebuilds that apply it.  Most arches have 2.20.0 stable, but 2.22 is in the process of going stable (and amd64 has it stable).  All arches that are going stable with 2.22 should test both (except amd64 which only needs to test 2.22.1-r2).  Fortunately, the same patch applies to both.
Comment 5 Robert Buchholz (RETIRED) gentoo-dev 2008-08-07 20:54:40 UTC
Thanks for patch and ebuild.

Arch Security Liaisons, please test the attached ebuild and report it stable on this bug.
Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 sh sparc x86"

CC'ing current Liaisons:
   alpha : yoswink, armin76
   amd64 : keytoaster, tester
    hppa : jer
     ppc : dertobi123
   ppc64 : corsair
   sparc : fmccor
     x86 : maekke, armin76
Comment 6 Markus Meier gentoo-dev 2008-08-10 19:43:04 UTC
yelp-2.22.1-r2 looks good on amd64/x86.
Comment 7 Markus Rothe (RETIRED) gentoo-dev 2008-08-11 05:51:41 UTC
looks good on ppc64
Comment 8 Raúl Porcel (RETIRED) gentoo-dev 2008-08-11 10:13:59 UTC
Looks okay on alpha/ia64/sparc
Comment 9 Jeroen Roovers (RETIRED) gentoo-dev 2008-08-11 16:12:10 UTC
Comment 10 Tobias Scherbaum (RETIRED) gentoo-dev 2008-08-11 19:35:12 UTC
yelp-2.22.1-r2 okay for ppc
Comment 11 Robert Buchholz (RETIRED) gentoo-dev 2008-08-15 08:52:55 UTC
Public via $URL. Please commit with the stable keywords gathered in this bug.
Comment 12 Daniel Gryniewicz (RETIRED) gentoo-dev 2008-08-15 14:17:42 UTC
Comment 13 Robert Buchholz (RETIRED) gentoo-dev 2008-09-04 20:12:56 UTC
GLSA 200809-01