Bug 235411 - (CVE-2007-2027) CVE-2007-2027 elinks tries to load .po files from a non-absolute path
CVE-2007-2027 elinks tries to load .po files from a non-absolute path
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
low Severity low
: ---
: ---
Assigned To: Red Hat Product Security
http://bugs.debian.org/cgi-bin/bugrep...
impact=low,source=debian,reported=200...
: Reopened, Security
Depends On: 525695 525696 525697 525698 833894
Blocks: 235412
  Show dependency treegraph
 
Reported: 2007-04-05 12:28 EDT by Lubomir Kundrak
Modified: 2012-06-20 10:06 EDT (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2009-10-01 14:16:42 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Lubomir Kundrak 2007-04-05 12:28:40 EDT
Description of problem:

Arnaud Giersch discovered that the following chunk of code from
src/intl/gettext/loadmsgcat.c:add_filename_to_string() causes elinks
to read .po files fro man untrusted location.

215         if ((dirnamelen && !add_bytes_to_string(str, program.path, dirnamelen))
216             || !add_to_string(str, "../po/")
217             || !add_bytes_to_string(str,

An untrusted message catalog might lead to a format-string attack when an
attacker tricks user into launching links from a particular directory.

Version-Release number of selected component (if applicable):

        Doesn't Affect: RHEL3
        Affects: RHEL4
        Affects: RHEL5
        Affects: FC5
        Affects: FC6

Additional info:

It is questionable who would launch elinks from a directory controlled
by someone else and thus whether this is exploitable in real world.
Comment 1 Stefan Cornelius 2007-05-30 15:29:13 EDT
Upstream patches:
http://pasky.or.cz/gitweb.cgi?p=elinks.git;a=commit;h=110c564af3c12f40743b7e1adcfd3a034d73b601
http://pasky.or.cz/gitweb.cgi?p=elinks.git;a=commit;h=928f364ba2803f98d71775dc03b694d6403c0754

These patches were questioned in the debian bug, however it seems like doubts
were unreasonable.
Comment 2 Karel Zak 2007-05-31 03:10:57 EDT
FC6 update: elinks-0.11.1-5.2
Comment 3 Ondrej Vasik 2007-10-05 08:25:22 EDT
Closing...already fixed quiet long time ago... as CURRENT_RELEASE elinks-0.11.1-5.2
Comment 4 Tomas Hoger 2009-09-25 05:53:48 EDT
Re-open to get the fixes to RHEL4/5 too.
Comment 7 errata-xmlrpc 2009-10-01 13:26:29 EDT
This issue has been addressed in following products:

  Red Hat Enterprise Linux 4
  Red Hat Enterprise Linux 5

Via RHSA-2009:1471 https://rhn.redhat.com/errata/RHSA-2009-1471.html

Note You need to log in before you can comment on or make changes to this bug.