After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.
Bug 306800 - gedit allows users to pass format strings to message dialogs
gedit allows users to pass format strings to message dialogs
Product: gedit
Classification: Applications
Component: general
Other Linux
: Immediate critical
: ---
Assigned To: Gedit maintainers
gedit QA volunteers
Depends on:
Reported: 2005-06-07 17:57 UTC by Ray Strode [halfline]
Modified: 2005-07-22 09:30 UTC
See Also:
GNOME target: ---
GNOME version: ---

use a format string of "%s" (3.78 KB, patch)
2005-06-07 17:58 UTC, Ray Strode [halfline]
none Details | Review
same fixes, against 2.8 (2.42 KB, patch)
2005-06-08 19:15 UTC, Loïc Minier
none Details | Review

Description Ray Strode [halfline] 2005-06-07 17:57:12 UTC
The gtk_message_dialog_new and gtk_message_dialog_format_secondary_text
functions are variadic functions that use format strings to specify the types
and number of arguments passed to the functions.

In many cases, gedit passes data given directly by the user as format strings to
these functions.

gedit will normally put up an error message dialog if the user tries to open a
text file containing random binary data.  If the filename contains format
specifiers then gedit will instead crash.  For example, try

$ dd if=/dev/urandom of=a-file-with-%s%d%f%n-in-its-name.txt bs=512 count=1
$ gedit a-file-with-%s%d%f%n-in-its-name.txt

gedit will crash.  It's possible to specially craft the filename such that gedit
will execute arbitrary code.  

See for more details.
Comment 1 Ray Strode [halfline] 2005-06-07 17:58:43 UTC
Created attachment 47395 [details] [review]
use a format string of "%s"

The following patch adds a "%s" format string to various places in the code
that use the varargs message dialog apis
Comment 2 Loïc Minier 2005-06-08 19:15:00 UTC
Created attachment 47467 [details] [review]
same fixes, against 2.8
Comment 3 Paolo Borelli 2005-06-08 19:23:12 UTC
the patch for 2.10 is committed... I don't plan to make a 2.8 release unless I'm
told to, but I'll leave this bug open for now for distro to grab the patch
Comment 4 Paolo Maggi 2005-07-22 09:30:33 UTC
I think all the most important distributions have released fixed packages.
Closing as FIXED.