Bugzilla – Bug 687874
VUL-0: Thunar format string errors
Last modified: 2019-10-10 19:11:48 UTC
Your friendly security team received the following report via oss-security. Please respond ASAP. The issue is public. ------------------------------------------------------------------------------ Date: Fri, 15 Apr 2011 15:54:08 +0200 From: Yves-Alexis Perez <corsac@debian.org> Subject: [oss-security] CVE request for Thunar (format string errors) Two format string errors were recently fixed in Thunar (file manager for Xfce). The first one is http://git.xfce.org/xfce/thunar/commit/?id=1d4dfafda30df071d7c1e0b370f0613cbc92ba74 (bug at https://bugzilla.xfce.org/show_bug.cgi?id=7128) fixed in Thunar 1.2.1) and triggers when creating file from templates and calling it with a format string. The second is http://git.xfce.org/xfce/thunar/commit/?id=03dd312e157d4fa8a11d5fa402706ae5b05806fa and is triggered when copy/pasting a file named from a format string. There's no released version including the fix right now. I've triggered the (second) bug using file named %s or %n but didn't really manage to exploit it (it crashes just fine). I'm not so sure it really needs a CVE so it's a request for discussion as well :) As a side note, I do use -Wformat -Wformat-security -Werror=format-security (thanks to hardening-includes) for my Debian builds, but as those function are wrappers of wrappers of wrappers to printf() and stuff like that, -Wformat-security won't help. Is there a way to work around that? Regards, -- Yves-Alexis
Via OSS-sec: ----- Original Message ----- > > > > > http://git.xfce.org/xfce/thunar/commit/?id=03dd312e157d4fa8a11d5fa402706ae5b05806fa > > > and is triggered when copy/pasting a file named from a format string. > > > There's no released version including the fix right now. > > > > This would probably qualify. > > Even if the user has to manually Ctrl-C/Ctrl-V the file in Thunar? > Thanks. > > This sounds like it's worth a CVE id. It's likely that the various gcc protections aren't used in all situations. Use CVE-2011-1588
p5->p3 mass change
opensuse only. so just a submission missing.
The SWAMPID for this issue is 40867. This issue was rated as moderate. Please submit fixed packages until 2011-05-26. When done, please reassign the bug to security-team@suse.de. Patchinfo will be handled by security team.
only 11.4+ affected. submitted to: 11.4 - sr#70477 Factory - sr#70478
This is an autogenerated message for OBS integration: This bug (687874) was mentioned in https://build.opensuse.org/request/show/70477 11.4 / thunar https://build.opensuse.org/request/show/70478 Factory / thunar
Update released for: libthunarx-2-0, libthunarx-2-0-debuginfo, thunar, thunar-debuginfo, thunar-debugsource, thunar-devel, thunar-devel-doc, thunar-doc, thunar-lang Products: openSUSE 11.4 (debug, i586, x86_64)
released
This is an autogenerated message for OBS integration: This bug (687874) was mentioned in https://build.opensuse.org/request/show/669045 Factory / thunar
This is an autogenerated message for OBS integration: This bug (687874) was mentioned in https://build.opensuse.org/request/show/720992 Backports:SLE-12-SP2 / exo+libgarcon+libxfce4ui+libxfce4util+perl-ExtUtils-Depends+perl-ExtUtils-PkgConfig+perl-Glib+thunar+xfce4-dev-tools+xfce4-panel+xfconf
openSUSE-RU-2019:2305-1: An update that solves one vulnerability and has 10 fixes is now available. Category: recommended (moderate) Bug References: 1011518,1047218,1135362,637694,687874,760492,764310,767145,829113,860479,952324 CVE References: CVE-2011-1588 Sources used: SUSE Package Hub for SUSE Linux Enterprise 12 (src): exo-0.12.0-2.1, libgarcon-0.6.1-2.1, libxfce4ui-4.12.1-2.1, libxfce4util-4.12.1-2.1, perl-ExtUtils-Depends-0.405-2.1, perl-ExtUtils-PkgConfig-1.160000-2.1, perl-Glib-1.326-2.1, thunar-1.6.14-2.1, xfce4-dev-tools-4.12.0-2.1, xfce4-panel-4.12.2-2.1, xfconf-4.12.1-2.1