Bug 235411 (CVE-2007-2027) - CVE-2007-2027 elinks tries to load .po files from a non-absolute path
Summary: CVE-2007-2027 elinks tries to load .po files from a non-absolute path
Alias: CVE-2007-2027
Product: Security Response
Classification: Other
Component: vulnerability   
(Show other bugs)
Version: unspecified
Hardware: All Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL: http://bugs.debian.org/cgi-bin/bugrep...
Whiteboard: impact=low,source=debian,reported=200...
Keywords: Reopened, Security
Depends On: 525695 525696 525697 525698 833894
Blocks: 235412
TreeView+ depends on / blocked
Reported: 2007-04-05 16:28 UTC by Lubomir Kundrak
Modified: 2012-06-20 14:06 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2009-10-01 18:16:42 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2009:1471 normal SHIPPED_LIVE Important: elinks security update 2009-10-01 17:26:23 UTC

Description Lubomir Kundrak 2007-04-05 16:28:40 UTC
Description of problem:

Arnaud Giersch discovered that the following chunk of code from
src/intl/gettext/loadmsgcat.c:add_filename_to_string() causes elinks
to read .po files fro man untrusted location.

215         if ((dirnamelen && !add_bytes_to_string(str, program.path, dirnamelen))
216             || !add_to_string(str, "../po/")
217             || !add_bytes_to_string(str,

An untrusted message catalog might lead to a format-string attack when an
attacker tricks user into launching links from a particular directory.

Version-Release number of selected component (if applicable):

        Doesn't Affect: RHEL3
        Affects: RHEL4
        Affects: RHEL5
        Affects: FC5
        Affects: FC6

Additional info:

It is questionable who would launch elinks from a directory controlled
by someone else and thus whether this is exploitable in real world.

Comment 1 Stefan Cornelius 2007-05-30 19:29:13 UTC
Upstream patches:

These patches were questioned in the debian bug, however it seems like doubts
were unreasonable.

Comment 2 Karel Zak 2007-05-31 07:10:57 UTC
FC6 update: elinks-0.11.1-5.2

Comment 3 Ondrej Vasik 2007-10-05 12:25:22 UTC
Closing...already fixed quiet long time ago... as CURRENT_RELEASE elinks-0.11.1-5.2

Comment 4 Tomas Hoger 2009-09-25 09:53:48 UTC
Re-open to get the fixes to RHEL4/5 too.

Comment 7 errata-xmlrpc 2009-10-01 17:26:29 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 4
  Red Hat Enterprise Linux 5

Via RHSA-2009:1471 https://rhn.redhat.com/errata/RHSA-2009-1471.html

Note You need to log in before you can comment on or make changes to this bug.