Bug 412741 - Multiple security issues fixed in Xfce 4.4.2
Multiple security issues fixed in Xfce 4.4.2
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
: Security
Depends On: 412751 412761
  Show dependency treegraph
Reported: 2007-12-05 15:19 EST by Lubomir Kundrak
Modified: 2008-01-10 03:52 EST (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2008-01-09 07:09:06 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Comment 1 Lubomir Kundrak 2007-12-05 15:24:18 EST
CVE Identifiers were requested.
Comment 3 Michael Cronenworth 2007-12-11 11:03:06 EST
Should this not be assigned, or at least CC'd, to the XFCE package maintainer?
The maintainer does not even seem aware that the update is available as there
are not even packages available on updates-testing.
Comment 4 Kevin Fenzi 2007-12-11 11:32:13 EST
I'm assigned on the two "depends on" bugs here, one for F7 and one for F8. 

I've been working hard to get Xfce upgraded over the last few weeks... 
There are 21 main Xfce packages, and 8 plugins that need to be rebuilt, tested,
and pushed for a update. ;) 

That said, the 4.4.2 packages should go out to testing in the next updates push. 
I would like to see them get a few days in testing before pushing such a big set
of packages out to stable. Please do test them and provide feedback in bodhi or
Comment 5 Lubomir Kundrak 2007-12-11 12:07:51 EST
Michael: correct. I forgot, I usually create these bugs automatically and script
adds the maintainer to Cc. Anyways, he was assigned the tracking bugs, so, as he
says, he is aware.
Comment 6 Tomas Hoger 2008-01-09 07:09:06 EST
Updates were pushed to stable repositories for both Fedora 7 and Fedora 8:


Closing bug.
Comment 7 Tomas Hoger 2008-01-10 03:52:01 EST
CVE ids:

Stack-based buffer overflow in the Panel (xfce4-panel) component in
Xfce before 4.4.2 might allow remote attackers to execute arbitrary
code via Launcher tooltips.  NOTE: a second buffer overflow
(over-read) in the xfce_mkdirhier function was also reported, but it
might not be exploitable for a crash or code execution, so it is not a

Double-free vulnerability in the Widget Library (libxfcegui4) in Xfce
before 4.4.2 might allow remote attackers to execute arbitrary code
via unknown vectors related to the "cliend id, program name and
working directory in session management."

Note You need to log in before you can comment on or make changes to this bug.