Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 93352 - app-editors/gedit Filename Format String Vulnerability
Summary: app-editors/gedit Filename Format String Vulnerability
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High major (vote)
Assignee: Gentoo Security
URL: http://www.securityfocus.com/bid/13699
Whiteboard: A2 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2005-05-20 11:28 UTC by Adir Abraham
Modified: 2005-07-02 13:45 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments
10_debian_format-string-vulnerabilities.patch (10_debian_format-string-vulnerabilities.patch,2.42 KB, patch)
2005-06-10 01:40 UTC, Thierry Carrez (RETIRED)
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Adir Abraham 2005-05-20 11:28:55 UTC
From SecurityFocus.com:

gEdit is prone to a format string vulnerability. Exploitation may occur when the
program is invoked with a filename that includes malicious format specifiers.
This issue could be exploited to corrupt arbitrary regions of memory with
attacker-supplied data, potentially resulting in execution of arbitrary code in
the context of the user running the program. 

An example for an exploit:

bash-2.05b#cat fmtexp.c

#include <stdio.h>


int
main()
{
printf("hah gedit\n");
}


bash-2.05b#gcc -o fk fmtexp.c

bash-2.05b#mv fk AA%n%n%n.c

bash-2.05b#gedit AA%n%n%n.c 

Reproducible: Always
Steps to Reproduce:
Comment 1 Jean-François Brunette (RETIRED) gentoo-dev 2005-05-20 11:33:03 UTC
vulnerable:
GNOME gEdit 2.0.2
GNOME gEdit 2.2.0
GNOME gEdit 2.10.2
------------------

There is the 2.10.2 in portage which is masked
Comment 2 Thierry Carrez (RETIRED) gentoo-dev 2005-05-20 14:18:16 UTC
Pulling in gnome team. Is there something upstream ion this (very recent) issue ?
Comment 3 Thierry Carrez (RETIRED) gentoo-dev 2005-05-24 05:43:24 UTC
Just had a talk with Paolo Borelli on irc.gnome.org's #gedit. They know about
it, but thought it was not public yet. I guess they will release a fix soon,
once they fix an apparent mix-up with RedHat security.
Comment 4 Thierry Carrez (RETIRED) gentoo-dev 2005-06-01 05:35:32 UTC
Upstream is back from GUADEC and should post a new gedit soon.

Note that this requires a user to open a very strange-looking filename with
gedit, and not sure it can easily be automated using email or web browsing.
Comment 5 foser (RETIRED) gentoo-dev 2005-06-01 07:50:29 UTC
evolution offers the possibility to open attachements with an appropriate
application, so for text files that might be gedit.
Comment 6 foser (RETIRED) gentoo-dev 2005-06-08 14:58:48 UTC
added gedit-2.10.3 which according to the changelog has the fix for this, marked
stable x86.
Comment 7 Thierry Carrez (RETIRED) gentoo-dev 2005-06-09 09:34:37 UTC
foser: many thx

I guess we should also backport the one-line patch to 2.8.x for the other arches
because moving them to 2.10.x might not be an easy option ?

I'll try to isolate the patch, Paolo Borelli told me it should be quite simple
to backport.
Comment 8 Thierry Carrez (RETIRED) gentoo-dev 2005-06-09 10:26:56 UTC
Hmm, not that simple. The patch is in 4 different files and the file names
changed ffrom 2.8 to 2.10 apparently...

http://cvs.gnome.org/viewcvs/gedit/gedit/ChangeLog?r1=1.764&r2=1.765&sortby=date

foser: what are our options ? I guess gedit-2.10 can't run on gnome 2.8 ?
Comment 9 Thierry Carrez (RETIRED) gentoo-dev 2005-06-10 01:40:28 UTC
Created attachment 60972 [details, diff]
10_debian_format-string-vulnerabilities.patch

Patch from Ubuntu's release
Comment 10 Thierry Carrez (RETIRED) gentoo-dev 2005-06-10 01:41:41 UTC
foser: the above patch applies cleanly to 2.8.3

To make it easier for other arches than x86, could you bump gedit-2.8.3 with
that patch ?
Comment 11 foser (RETIRED) gentoo-dev 2005-06-10 07:27:56 UTC
I didn't apply it to 2.8 because 2.10.3 doesn't need any of the 2.10 libs
besides gtksourceview which is a safe upgrade as well. So my suggestion is to
just have all arches update to 2.10.3 gedit, which is long overdue anyway.

But if you really want it in 2.8 anyway, just let me know.
Comment 12 Thierry Carrez (RETIRED) gentoo-dev 2005-06-10 07:35:19 UTC
Arches: please test and mark stable, see above comment.
Comment 13 Michael Hanselmann (hansmi) (RETIRED) gentoo-dev 2005-06-10 12:14:05 UTC
Stable on ppc.
Comment 14 Simon Stelling (RETIRED) gentoo-dev 2005-06-10 12:52:38 UTC
stable on amd64
Comment 15 SpanKY gentoo-dev 2005-06-10 23:35:51 UTC
hppa/ia64 stable
Comment 16 Markus Rothe (RETIRED) gentoo-dev 2005-06-11 03:25:03 UTC
stable on ppc64 
Comment 17 Bryan Østergaard (RETIRED) gentoo-dev 2005-06-11 03:35:05 UTC
Alpha stable.
Comment 18 Thierry Carrez (RETIRED) gentoo-dev 2005-06-11 11:01:52 UTC
GLSA 200506-09
mips: remember to mark stable to benefit from GLSA
Comment 19 Hardave Riar (RETIRED) gentoo-dev 2005-07-02 13:45:21 UTC
Stable on mips.