Bug 698290 (CVE-2011-1588)

Summary: CVE-2011-1588 Thunar: Format string flaw when copying / moving files with % in the name
Product: [Other] Security Response Reporter: Jan Lieskovsky <jlieskov>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED RAWHIDE QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: christoph.wickert, kevin, maxamillion, pertusus
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-04-20 17:14:35 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Jan Lieskovsky 2011-04-20 15:20:12 UTC 
A format string flaw was found in the way Thunar file manager used
to copy / move files with % formatters in their name. A remote attacker
could provide a specially-crafted file and trick the local victim
into copying / moving it via Thunar, leading to Thunar executable
crash or, possibly, arbitrary code execution with the privileges
of the user running Thunar.

Issue severity note:
====================
The FORTIFY_SOURCE feature would mitigate the impact of this flaw to
be crash only on particular Fedora versions.

Upstream patch:
[1] http://git.xfce.org/xfce/thunar/commit/?id=03dd312e157d4fa8a11d5fa402706ae5b05806fa

References:
[2] http://www.openwall.com/lists/oss-security/2011/04/15/4
[3] http://www.openwall.com/lists/oss-security/2011/04/15/5
[4] http://www.openwall.com/lists/oss-security/2011/04/15/6
[5] http://www.openwall.com/lists/oss-security/2011/04/18/6
Comment 1 Jan Lieskovsky 2011-04-20 15:24:21 UTC 
This issue did NOT affect the versions of the Thunar package,
as shipped with Fedora release of 13 and 14 (those versions
do not contain the flaw relevant functionality yet).

This issue affects the versions of Thunar package, as scheduled
to appear in Fedora release of 15 (Thunar-1.2.1-5.fc15) and
as present in Rawhide (Thunar-1.3.0-3.fc16). Please schedule
an update of those.
Comment 2 Christoph Wickert 2011-04-20 16:44:15 UTC 
Working on that.
Comment 3 Christoph Wickert 2011-04-20 17:14:35 UTC 
(In reply to comment #1)
> This issue affects the versions of Thunar package, as scheduled
> to appear in Fedora release of 15 (Thunar-1.2.1-5.fc15)

This is not correct, as written in the first mail the fix is already in 1.2.1. It's also mentioned in /usr/share/doc/Thunar-1.2.1/NEWS

1.2.1
=====
- Paste files in correct order (bug #6504).
- Fix truncated strings when loading and storing emblems (bug #7171).
- Only erase top-level items from trash (bug #7147).
- Don't interpret file display names as format strings (bug #7128).


> and as present in Rawhide (Thunar-1.3.0-3.fc16). Please schedule
> an update of those.

Fixed in http://koji.fedoraproject.org/koji/taskinfo?taskID=3014396