oss-sec mailing list archives
Re: CVE request for Thunar (format string errors)
From: Tomas Hoger <thoger () redhat com>
Date: Fri, 15 Apr 2011 16:50:02 +0200
On Fri, 15 Apr 2011 15:54:08 +0200 Yves-Alexis Perez wrote:
The first one is http://git.xfce.org/xfce/thunar/commit/?id=1d4dfafda30df071d7c1e0b370f0613cbc92ba74 (bug at https://bugzilla.xfce.org/show_bug.cgi?id=7128) fixed in Thunar 1.2.1) and triggers when creating file from templates and calling it with a format string.
Does this have real attack vector where trust boundary is crossed? This sounds like a bug.
The second is http://git.xfce.org/xfce/thunar/commit/?id=03dd312e157d4fa8a11d5fa402706ae5b05806fa and is triggered when copy/pasting a file named from a format string. There's no released version including the fix right now.
This would probably qualify.
As a side note, I do use -Wformat -Wformat-security -Werror=format-security (thanks to hardening-includes) for my Debian builds, but as those function are wrappers of wrappers of wrappers to printf() and stuff like that, -Wformat-security won't help. Is there a way to work around that?
Fortify source should block code execution even in this case, I'd expect. -- Tomas Hoger / Red Hat Security Response Team
Current thread:
- CVE request for Thunar (format string errors) Yves-Alexis Perez (Apr 15)
- Re: CVE request for Thunar (format string errors) Tomas Hoger (Apr 15)
- Re: CVE request for Thunar (format string errors) Yves-Alexis Perez (Apr 15)
- Re: CVE request for Thunar (format string errors) Josh Bressers (Apr 18)
- Re: CVE request for Thunar (format string errors) Yves-Alexis Perez (Apr 15)
- Re: CVE request for Thunar (format string errors) Tomas Hoger (Apr 15)