Bug 687874

Summary: VUL-0: Thunar format string errors
Product: [Novell Products] SUSE Security Incidents Reporter: Ludwig Nussel <lnussel>
Component: GeneralAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: meissner, security-team
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
Whiteboard: maint:released:11.4:41050
Found By: Other Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Ludwig Nussel 2011-04-15 14:28:41 UTC 
Your friendly security team received the following report via oss-security.
Please respond ASAP.
The issue is public.

------------------------------------------------------------------------------
Date: Fri, 15 Apr 2011 15:54:08 +0200
From: Yves-Alexis Perez <corsac@debian.org>
Subject: [oss-security] CVE request for Thunar (format string errors)

Two format string errors were recently fixed in Thunar (file manager for
Xfce).

The first one is
http://git.xfce.org/xfce/thunar/commit/?id=1d4dfafda30df071d7c1e0b370f0613cbc92ba74 (bug at https://bugzilla.xfce.org/show_bug.cgi?id=7128)  fixed in Thunar 1.2.1) and triggers when creating file from templates and calling it with a format string.

The second is
http://git.xfce.org/xfce/thunar/commit/?id=03dd312e157d4fa8a11d5fa402706ae5b05806fa and is triggered when copy/pasting a file named from a format string. There's no released version including the fix right now.

I've triggered the (second) bug using file named %s or %n but didn't
really manage to exploit it (it crashes just fine).

I'm not so sure it really needs a CVE so it's a request for discussion
as well :)

As a side note, I do use -Wformat -Wformat-security
-Werror=format-security (thanks to hardening-includes) for my Debian
builds, but as those function are wrappers of wrappers of wrappers to
printf() and stuff like that, -Wformat-security won't help. Is there a
way to work around that?

Regards,
-- 
Yves-Alexis
Comment 1 Sebastian Krahmer 2011-04-19 06:15:21 UTC 
Via OSS-sec:


----- Original Message -----
> > >
> > http://git.xfce.org/xfce/thunar/commit/?id=03dd312e157d4fa8a11d5fa402706ae5b05806fa
> > > and is triggered when copy/pasting a file named from a format string.
> > > There's no released version including the fix right now.
> >
> > This would probably qualify.
>
> Even if the user has to manually Ctrl-C/Ctrl-V the file in Thunar?
> Thanks.
> >

This sounds like it's worth a CVE id. It's likely that the various gcc
protections aren't used in all situations.

Use CVE-2011-1588
Comment 3 Thomas Biege 2011-05-03 14:13:30 UTC 
p5->p3 mass change
Comment 4 Marcus Meissner 2011-05-12 14:32:47 UTC 
opensuse only. so just a submission missing.
Comment 5 Swamp Workflow Management 2011-05-12 14:33:43 UTC 
The SWAMPID for this issue is 40867.
This issue was rated as moderate.
Please submit fixed packages until 2011-05-26.
When done, please reassign the bug to security-team@suse.de.
Patchinfo will be handled by security team.
Comment 6 Pavol Rusnak 2011-05-17 15:19:30 UTC 
only 11.4+ affected.

submitted to:
11.4 - sr#70477
Factory - sr#70478
Comment 7 Bernhard Wiedemann 2011-05-17 16:00:10 UTC 
This is an autogenerated message for OBS integration:
This bug (687874) was mentioned in
https://build.opensuse.org/request/show/70477 11.4 / thunar
https://build.opensuse.org/request/show/70478 Factory / thunar
Comment 8 Swamp Workflow Management 2011-05-20 07:12:05 UTC 
Update released for: libthunarx-2-0, libthunarx-2-0-debuginfo, thunar, thunar-debuginfo, thunar-debugsource, thunar-devel, thunar-devel-doc, thunar-doc, thunar-lang
Products:
openSUSE 11.4 (debug, i586, x86_64)
Comment 9 Ludwig Nussel 2011-05-20 12:21:11 UTC 
released
Comment 10 Swamp Workflow Management 2019-01-28 12:00:07 UTC 
This is an autogenerated message for OBS integration:
This bug (687874) was mentioned in
https://build.opensuse.org/request/show/669045 Factory / thunar
Comment 11 Swamp Workflow Management 2019-08-05 10:11:14 UTC 
This is an autogenerated message for OBS integration:
This bug (687874) was mentioned in
https://build.opensuse.org/request/show/720992 Backports:SLE-12-SP2 / exo+libgarcon+libxfce4ui+libxfce4util+perl-ExtUtils-Depends+perl-ExtUtils-PkgConfig+perl-Glib+thunar+xfce4-dev-tools+xfce4-panel+xfconf
Comment 12 Swamp Workflow Management 2019-10-10 19:11:48 UTC 
openSUSE-RU-2019:2305-1: An update that solves one vulnerability and has 10 fixes is now available.

Category: recommended (moderate)
Bug References: 1011518,1047218,1135362,637694,687874,760492,764310,767145,829113,860479,952324
CVE References: CVE-2011-1588
Sources used:
SUSE Package Hub for SUSE Linux Enterprise 12 (src):    exo-0.12.0-2.1, libgarcon-0.6.1-2.1, libxfce4ui-4.12.1-2.1, libxfce4util-4.12.1-2.1, perl-ExtUtils-Depends-0.405-2.1, perl-ExtUtils-PkgConfig-1.160000-2.1, perl-Glib-1.326-2.1, thunar-1.6.14-2.1, xfce4-dev-tools-4.12.0-2.1, xfce4-panel-4.12.2-2.1, xfconf-4.12.1-2.1