GNOME Bugzilla – Bug 306800
gedit allows users to pass format strings to message dialogs
Last modified: 2005-07-22 09:30:33 UTC
The gtk_message_dialog_new and gtk_message_dialog_format_secondary_text functions are variadic functions that use format strings to specify the types and number of arguments passed to the functions. In many cases, gedit passes data given directly by the user as format strings to these functions. gedit will normally put up an error message dialog if the user tries to open a text file containing random binary data. If the filename contains format specifiers then gedit will instead crash. For example, try $ dd if=/dev/urandom of=a-file-with-%s%d%f%n-in-its-name.txt bs=512 count=1 $ gedit a-file-with-%s%d%f%n-in-its-name.txt gedit will crash. It's possible to specially craft the filename such that gedit will execute arbitrary code. See https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=159657 for more details.
Created attachment 47395 [details] [review] use a format string of "%s" The following patch adds a "%s" format string to various places in the code that use the varargs message dialog apis
Created attachment 47467 [details] [review] same fixes, against 2.8
the patch for 2.10 is committed... I don't plan to make a 2.8 release unless I'm told to, but I'll leave this bug open for now for distro to grab the patch
I think all the most important distributions have released fixed packages. Closing as FIXED.