** Please note that this issue is confidential and no information should be disclosed until it is made public, see "Whiteboard" for a date ** Aaron Grattafiori writes: Gnome's help program "yelp" is affected by a classic format string vulnerability when reporting an invalid URI using a gtk_message_dialog. The function gtk_message_dialog_format_secondary_markup() is called without a format string. Details: -------- After specifying an invalid URI, using ftp:// or file:// (or even no URI handler at all!) An error message saying "The requested URI %s is invalid" is created using on line 1008 of yelp-window.c which passes the gchar string into the window_error function located at 1129 of the same file. The GTK dialog box is then created insecurely by *not* using a format string at line 1156 of yelp-window.c. The function prototype for gtk_message_dialog_format_secondary_markup is: void gtk_message_dialog_format_secondary_markup (GtkMessageDialog *message_dialog, const gchar *message_format, ...); where message_format is a "printf()-style markup string". see: http://library.gnome.org/devel/gtk/2.12/GtkMessageDialog.html#gtk-message-dialog-format-secondary-markup Incorrect/vulnerable usage here: http://svn.gnome.org/viewvc/yelp/trunk/src/yelp-window.c?revision=3145&view=markup You can see the code was changed "cleaned up" from properly using a format string, to its removal here: http://svn.gnome.org/viewvc/yelp/trunk/src/yelp-window.c?annotate=2848#l1130 PoC: ---- yelp ftp://%08x.%08x.%08x.%08x.%08x.%08x yelp %x%x%x%x%x%x:// yelp %08x%08x Impact: ------ Because of yelp's network capability, this vulnerably may be remotely exploitable via minimal user-assistance in Firefox, Evolution and other programs with the 'man' or 'ghelp' URIs registered. Evolution will prompt the user for confirmation (which displays the program and arguments) but sadly Firefox 3.0 does not allow for preview of the arguments being passed. (I think all arguments being passed to applications via Firefox or whatever program should be displayed. This seems like a regression in security from Firefox 2) This vulnerability could be exploited to execute arbitrary code with the user's privileges and possible user-assisted execution of arbitrary code by clicking on a malicious link. Effected Versions: --------- All newer than 2.19.90 Fix: ---------- Patch the function call to use a format string per GTK+ documentation. Similar to the properly used call gtk_message_dialog_format_secondary_text() at line 581 of yelp-print.c
Created attachment 162428 [details, diff] Proposed patch
Created attachment 162430 [details] 2.20.0 bump ebuild for most arches
Created attachment 162431 [details] 2.22.1 bump ebuild for amd64
Okay, here's a patch, and 2 ebuilds that apply it. Most arches have 2.20.0 stable, but 2.22 is in the process of going stable (and amd64 has it stable). All arches that are going stable with 2.22 should test both (except amd64 which only needs to test 2.22.1-r2). Fortunately, the same patch applies to both.
Thanks for patch and ebuild. Arch Security Liaisons, please test the attached ebuild and report it stable on this bug. Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 sh sparc x86" CC'ing current Liaisons: alpha : yoswink, armin76 amd64 : keytoaster, tester hppa : jer ppc : dertobi123 ppc64 : corsair sparc : fmccor x86 : maekke, armin76
yelp-2.22.1-r2 looks good on amd64/x86.
looks good on ppc64
Looks okay on alpha/ia64/sparc
HPPA is OK.
yelp-2.22.1-r2 okay for ppc
Public via $URL. Please commit with the stable keywords gathered in this bug.
Committed.
GLSA 200809-01