oss-sec mailing list archives
Re: CVE request for Thunar (format string errors)
From: Yves-Alexis Perez <corsac () debian org>
Date: Fri, 15 Apr 2011 17:06:11 +0200
On ven., 2011-04-15 at 16:50 +0200, Tomas Hoger wrote:
On Fri, 15 Apr 2011 15:54:08 +0200 Yves-Alexis Perez wrote:The first one ishttp://git.xfce.org/xfce/thunar/commit/?id=1d4dfafda30df071d7c1e0b370f0613cbc92ba74(bug at https://bugzilla.xfce.org/show_bug.cgi?id=7128) fixed in Thunar 1.2.1) and triggers when creating file from templates and calling it with a format string.Does this have real attack vector where trust boundary is crossed? This sounds like a bug.
Yeah, I don't think there's a way to ask Thunar to create a new file from a template programmatically, so the user really needs to go to the menu and create it.
The second ishttp://git.xfce.org/xfce/thunar/commit/?id=03dd312e157d4fa8a11d5fa402706ae5b05806faand is triggered when copy/pasting a file named from a formatstring.There's no released version including the fix right now.This would probably qualify.
Even if the user has to manually Ctrl-C/Ctrl-V the file in Thunar? Thanks.
As a side note, I do use -Wformat -Wformat-security -Werror=format-security (thanks to hardening-includes) for my Debian builds, but as those function are wrappers of wrappers of wrapperstoprintf() and stuff like that, -Wformat-security won't help. Is thereaway to work around that?Fortify source should block code execution even in this case, I'd expect.
Yeah hopefully, but I was more thinking on a way to detect the format string error at compilation time. Manually it's kind of a pain as one has to check every usage of a function using va_args. Regards, -- Yves-Alexis
Current thread:
- CVE request for Thunar (format string errors) Yves-Alexis Perez (Apr 15)
- Re: CVE request for Thunar (format string errors) Tomas Hoger (Apr 15)
- Re: CVE request for Thunar (format string errors) Yves-Alexis Perez (Apr 15)
- Re: CVE request for Thunar (format string errors) Josh Bressers (Apr 18)
- Re: CVE request for Thunar (format string errors) Yves-Alexis Perez (Apr 15)
- Re: CVE request for Thunar (format string errors) Tomas Hoger (Apr 15)