After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.
Bug 546364 - yelp format string vulnerabilty
yelp format string vulnerabilty
Status: RESOLVED FIXED
Product: yelp
Classification: Applications
Component: General
unspecified
Other Linux
: Urgent major
: ---
Assigned To: Yelp maintainers
Yelp maintainers
Depends on:
Blocks:
 
 
Reported: 2008-08-05 05:27 UTC by Aaron Grattafiori
Modified: 2008-08-13 22:51 UTC
See Also:
GNOME target: ---
GNOME version: ---

Attachments
patch (610 bytes, patch)
2008-08-05 11:50 UTC, Christian Persch 		committed Details | Review

Description Aaron Grattafiori 2008-08-05 05:27:49 UTC 
Gnome's help program "yelp" is affected by a classic format string vulnerability
when reporting an invalid URI using a gtk_message_dialog. The function gtk_message_dialog_format_secondary_markup() is called without a format string.


Details:
--------
After specifying an invalid URI, using ftp:// or file:// (or even no URI handler at all!) An error message saying "The requested URI %s is invalid" is created using on line 1008 of yelp-window.c which passes the gchar string into the window_error function located at 1129 of the same file. The GTK dialog box is then created insecurely by *not* using a format string at line 1156 of yelp-window.c.

The function prototype for gtk_message_dialog_format_secondary_markup is:
void gtk_message_dialog_format_secondary_markup (GtkMessageDialog *message_dialog,
                                                         const gchar *message_format,
                                                                                ...);
where message_format is a "printf()-style markup string".
see: http://library.gnome.org/devel/gtk/2.12/GtkMessageDialog.html#gtk-message-dialog-format-secondary-markup
Incorrect/vulnerable usage here:
http://svn.gnome.org/viewvc/yelp/trunk/src/yelp-window.c?revision=3145&view=markup
You can see the code was changed "cleaned up" from properly using a format string, to its removal here:
http://svn.gnome.org/viewvc/yelp/trunk/src/yelp-window.c?annotate=2848#l1130

PoC:
----
yelp ftp://%08x.%08x.%08x.%08x.%08x.%08x
yelp %x%x%x%x%x%x://
yelp %08x%08x

Impact:
------

Because of yelp's network capability, this vulnerably may be remotely exploitable via minimal user-assistance in Firefox, Evolution and other programs with the 'man' or 'ghelp' URIs registered. Evolution will prompt the user for confirmation (which displays the program and arguments) but sadly Firefox 3.0 does not allow for preview of the arguments being passed. (I think all arguments being passed to applications via Firefox or whatever program should be displayed. This seems like a regression in security from Firefox 2)

This vulnerability could be exploited to execute arbitrary code with the user's privileges and possible user-assisted execution of arbitrary code by clicking on a malicious link.

Effected Versions:
---------
All newer than 2.19.90

Fix:
----------
Patch the function call to use a format string per GTK+ documentation.
Similar to the properly used call gtk_message_dialog_format_secondary_text()
at line 581 of yelp-print.c


-Aaron Grattafiori
Comment 1 Christian Persch 2008-08-05 11:50:58 UTC 
Created attachment 115890 [details] [review]
patch
Comment 2 Don Scorgie 2008-08-12 19:26:42 UTC 
Fixed in SVN.  Will appear in 2.24.  I'm not sure about backporting.  2.22 and 2.20 would need a release.  In the mean time, the bug is fixed in SVN, so I'll close for now.

Shaun, care to weigh in?

2008-08-12  Don Scorgie  <dscorgie@svn.gnome.org>

	* src/yelp-window.c (window_error):
	Fix string vulnerability
	bug #546364 - patch from Christian Persch
	reported by Aaron Grattafiori
Comment 3 Loïc Minier 2008-08-13 22:51:29 UTC 
xrefs:
CVE-2008-3533
https://bugs.launchpad.net/ubuntu/+source/yelp/+bug/254860