Bug 1037393
Summary: | xdialog FTBFS if "-Werror=format-security" flag is used | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Dhiru Kholia <dkholia> |
Component: | xdialog | Assignee: | Conrad Meyer <cse.cem+redhatbugz> |
Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | unspecified | Docs Contact: | |
Priority: | unspecified | ||
Version: | rawhide | CC: | bressers, cse.cem+redhatbugz, pertusus, thoger |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | xdialog-2.3.1-13.fc20 | Doc Type: | Bug Fix |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2013-12-12 02:53:51 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | |||
Bug Blocks: | 1038083 |
Description
Dhiru Kholia
2013-12-03 06:06:39 UTC
Yeah, this is a legit issue in Xdialog. We end up fprintf()ing a string with mostly trusted input, but also argv[0], which can be anything... Here's the rawhide build: http://koji.fedoraproject.org/koji/taskinfo?taskID=6251879 Pushed and building in F20, F19. (In reply to Conrad Meyer from comment #1) > Yeah, this is a legit issue in Xdialog. We end up fprintf()ing a string with > mostly trusted input, but also argv[0], which can be anything... Do we need a CVE for this? xdialog-2.3.1-13.fc19 has been submitted as an update for Fedora 19. https://admin.fedoraproject.org/updates/xdialog-2.3.1-13.fc19 xdialog-2.3.1-13.fc20 has been submitted as an update for Fedora 20. https://admin.fedoraproject.org/updates/xdialog-2.3.1-13.fc20 (In reply to Dhiru Kholia from comment #4) > (In reply to Conrad Meyer from comment #1) > > Yeah, this is a legit issue in Xdialog. We end up fprintf()ing a string with > > mostly trusted input, but also argv[0], which can be anything... > > Do we need a CVE for this? I don't think so. I think Xdialog just runs with the permissions of the user invoking it anyway. Package xdialog-2.3.1-13.fc20: * should fix your issue, * was pushed to the Fedora 20 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing xdialog-2.3.1-13.fc20' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2013-22652/xdialog-2.3.1-13.fc20 then log in and leave karma (feedback). There is some discussion in the bodhi request on whether this update should be marked as security update rather than bug fix: https://admin.fedoraproject.org/updates/FEDORA-2013-22697/xdialog-2.3.1-13.fc19 I'm moving the discussion here instead, as BZ is really a better place than bodhi for any longer explanation. For this change, I do prefer to avoid calling it security unless we can demonstrate relevant security impacts. This is rather unlikely to have security impact: - Fedora glibc has mitigation in place to block exploiting format string issues for code execution. Those attacks rely on %n format, which is what glibc checks for: $ bash -c 'exec -a "%n" Xdialog' %n: missing box option ! *** %n in writable segment detected *** Aborted Hence impact is limited to crash or information leak: $ bash -c 'exec -a "%s%s%s%s%s%s" Xdialog' %s%s%s%s%s%s: missing box option ! Segmentation fault $ bash -c 'exec -a "%x%x%x%x%x%x" Xdialog' %x%x%x%x%x%x: missing box option ! Xdialog v2.3.1 by Thierry Godefroy <xdialog> (v1.0 was written by Alfred at Cyberone Internet <alfred.au>). Xdialog home page available at: http://xdialog.dyns.net/ Usage: 312e7660dcda49c02078257825782578250 [<common options>] [<transient options>] <box option> ... ... These impacts may be relevant in certain cases (when affected application is a daemon or setuid application), which does not seem to be the case here. - Things like command line arguments (or argv[0]) in this case are generally considered trusted input when no dealing with setuid applications. I can't think of a good way to make other user run this with odd argv[0] - they'd either have to run attacker's specially crafted command that sets crafted argv[0] (format string issue does not matter in this case), or run Xdialog using some very suspicious link. Why does this all matter? Because there are users who care about security advisories released (e.g. to prioritize security updates over non-security), and things like security fixes pushed as bug fixes or vice versa cause issues. xdialog-2.3.1-13.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report. xdialog-2.3.1-13.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report. |