Ubuntu
vinagre package

Possible string format attack

Bug #305623 reported by Emilio Pozuelo Monfort on 2008-12-05

254

	Status	Importance	Assigned to
vinagre (Ubuntu)	Fix Released	High	Emilio Pozuelo Monfort
Hardy	Fix Released	High	Emilio Pozuelo Monfort
Intrepid	Fix Released	High	Emilio Pozuelo Monfort

Bug Description

Binary package hint: vinagre

There's a security issue in Vinagre, where a user could cause a string format attack.

These are the relevant upstream commits:
http://svn.gnome.org/viewvc/vinagre?view=revision&revision=528 (for hardy)
http://svn.gnome.org/viewvc/vinagre?view=revision&revision=525 (for intrepid and jaunty)

The problem is in src/vinagre-utils.c @ vinagre_utils_show_error, which is used in vinagre-commands.c @ vinagre_cmd_machine_open via vinagre_utils_show_many_errors.

The affected releases are Hardy, Intrepid and Jaunty.

Thanks Kees and James for your help!

Related branches

lp:ubuntu/lucid/vinagre

lp:ubuntu/hardy-security/vinagre

lp:ubuntu/intrepid-security/vinagre

Emilio Pozuelo Monfort (pochu) on 2008-12-05

Changed in vinagre:
importance:	Undecided → High
status:	New → Triaged

Revision history for this message

Kees Cook (kees) wrote on 2008-12-05:

Reproducer, from the command-line: vinagre %n
Segv on hardy, fortify-abort on intrepid (and jaunty).

Revision history for this message

Emilio Pozuelo Monfort (pochu) wrote on 2008-12-05:

vinagre-hardy.debdiff Edit (2.2 KiB, text/plain)

Hardy debdiff. No regressions found, and patch fixes the sigsegv.

Changed in vinagre:
assignee:	nobody → pochu
importance:	Undecided → High
status:	New → Triaged

Revision history for this message

Emilio Pozuelo Monfort (pochu) wrote on 2008-12-06:

vinagre-hardy.debdiff Edit (15.9 KiB, text/plain)

Let's close this bug report and mention it's a "SECURITY UPDATE" in debian/changelog.

Revision history for this message

Emilio Pozuelo Monfort (pochu) wrote on 2008-12-06:

vinagre-intrepid.debdiff Edit (1.6 KiB, text/plain)

Intrepid debdiff. I've verified it fixes the bug and I've checked for regressions connecting to a vino server in localhost without any issues.

I did the same tests for the Hardy update.

Emilio Pozuelo Monfort (pochu) on 2008-12-06

Changed in vinagre:
assignee:	nobody → pochu
assignee:	nobody → pochu
importance:	Undecided → High
status:	New → Triaged

Revision history for this message

Emilio Pozuelo Monfort (pochu) wrote on 2008-12-06:

Jaunty update (tested): http://emilio.pozuelo.org/vinagre_2.24.2-0ubuntu1.dsc

Revision history for this message

Kees Cook (kees) wrote on 2008-12-06:

Thanks for preparing and testing these updates! Hardy and Intrepid are building in the security queue now.

Changed in vinagre:
status:	Triaged → Fix Committed
status:	Triaged → Fix Committed

Revision history for this message

Emilio Pozuelo Monfort (pochu) wrote on 2008-12-06:

vinagre debdiff against Debian Edit (8.7 KiB, text/plain)

This debdiff merges Vinagre with Debian. Targeted to Jaunty.

Revision history for this message

Launchpad Janitor (janitor) wrote on 2008-12-09:

This bug was fixed in the package vinagre - 2.24.2-1ubuntu1

---------------
vinagre (2.24.2-1ubuntu1) jaunty; urgency=low

  * Merge from Debian unstable, remaining changes:
    - Launchpad integration.
  * The new upstream release fixes a security exploit (lp: #305623).

vinagre (2.24.2-1) experimental; urgency=high

  * New upstream release with a security fix.
    - Update build dependencies.
  * Update Vcs-* headers.

-- Emilio Pozuelo Monfort <email address hidden> Sat, 06 Dec 2008 23:21:11 +0100

Changed in vinagre:
status:	Triaged → Fix Released

Revision history for this message

Launchpad Janitor (janitor) wrote on 2008-12-09:

This bug was fixed in the package vinagre - 2.24.1-0ubuntu1.1

---------------
vinagre (2.24.1-0ubuntu1.1) intrepid-security; urgency=low

  * SECURITY UPDATE: string format attack via arguments to the command
    line call. LP: #305623.
  * debian/patches/01_fix_string_format_attack.patch:
    - Format the printf message.

-- Emilio Pozuelo Monfort <email address hidden> Sat, 06 Dec 2008 01:10:46 +0100

Changed in vinagre:
status:	Fix Committed → Fix Released

Revision history for this message

Launchpad Janitor (janitor) wrote on 2008-12-09:

#10

This bug was fixed in the package vinagre - 0.5.1-0ubuntu1.1

---------------
vinagre (0.5.1-0ubuntu1.1) hardy-security; urgency=low

  * SECURITY UPDATE: string format attack via arguments to the command
    line call. LP: #305623.
  * debian/rules: add simple-patchsys.
  * debian/patches/01_fix_format_string_attack.patch:
    - Format the printf message.

-- Emilio Pozuelo Monfort <email address hidden> Sat, 06 Dec 2008 00:40:54 +0100

Changed in vinagre:
status:	Fix Committed → Fix Released

Revision history for this message

Kees Cook (kees) wrote on 2008-12-10:

#11

http://www.coresecurity.com/content/vinagre-format-string

Report a bug

This report contains Public Security information

Everyone can see this security related information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Patches

Add patch

Remote bug watches

Bug watches keep track of this bug in other bug trackers.

Ubuntuvinagre package

Possible string format attack

Bug Description

Related branches

Other bug subscribers

Patches

Remote bug watches

Ubuntu
vinagre package