412741 – Multiple security issues fixed in Xfce 4.4.2

Bug 412741 - Multiple security issues fixed in Xfce 4.4.2

Summary: Multiple security issues fixed in Xfce 4.4.2

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:	http://www.xfce.org/documentation/cha...
Whiteboard:
Depends On:	412751 412761
Blocks:
TreeView+	depends on / blocked

Reported:	2007-12-05 20:19 UTC by Lubomir Kundrak
Modified:	2008-01-10 08:52 UTC (History)
CC List:	2 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2008-01-09 12:09:06 UTC
Embargoed:

Attachments	(Terms of Use)

Description Lubomir Kundrak 2007-12-05 20:19:53 UTC

Description of problem:

* libxfce4util: buffer overflow:

4.4:   http://svn.xfce.org/index.cgi/xfce4/revision?rev=26250
trunk: http://svn.xfce.org/index.cgi/xfce4/revision?rev=26251

* libxfce4gui: double free().

4.4: http://svn.xfce.org/index.cgi/xfce4/revision?rev=25554
trunk: http://svn.xfce.org/index.cgi/xfce4/revision?rev=25555

* libxfce4gui: possibly a format string flaw (?)

4.4: http://svn.xfce.org/index.cgi/xfce4/revision/?rev=25677

* xfce4-panel: A buffer overflow:

4.4: http://svn.xfce.org/index.cgi/xfce4/revision/?rev=25792
http://bugzilla.xfce.org/show_bug.cgi?id=3324

Additional info:

Should all be fixed in 4.4.2.

These were stolen from gentoo bugzilla:
http://bugs.gentoo.org/show_bug.cgi?id=201289
http://bugs.gentoo.org/show_bug.cgi?id=201292
http://bugs.gentoo.org/show_bug.cgi?id=201293

Comment 1 Lubomir Kundrak 2007-12-05 20:24:18 UTC

CVE Identifiers were requested.

Comment 3 Michael Cronenworth 2007-12-11 16:03:06 UTC

Should this not be assigned, or at least CC'd, to the XFCE package maintainer?
The maintainer does not even seem aware that the update is available as there
are not even packages available on updates-testing.

Comment 4 Kevin Fenzi 2007-12-11 16:32:13 UTC

I'm assigned on the two "depends on" bugs here, one for F7 and one for F8. 

I've been working hard to get Xfce upgraded over the last few weeks... 
There are 21 main Xfce packages, and 8 plugins that need to be rebuilt, tested,
and pushed for a update. ;) 

That said, the 4.4.2 packages should go out to testing in the next updates push. 
I would like to see them get a few days in testing before pushing such a big set
of packages out to stable. Please do test them and provide feedback in bodhi or
here.

Comment 5 Lubomir Kundrak 2007-12-11 17:07:51 UTC

Michael: correct. I forgot, I usually create these bugs automatically and script
adds the maintainer to Cc. Anyways, he was assigned the tracking bugs, so, as he
says, he is aware.

Comment 6 Tomas Hoger 2008-01-09 12:09:06 UTC

Updates were pushed to stable repositories for both Fedora 7 and Fedora 8:

  https://admin.fedoraproject.org/updates/F7/FEDORA-2007-4385
  https://admin.fedoraproject.org/updates/F8/FEDORA-2007-4368

Closing bug.

Comment 7 Tomas Hoger 2008-01-10 08:52:01 UTC

CVE ids:

CVE-2007-6531
Stack-based buffer overflow in the Panel (xfce4-panel) component in
Xfce before 4.4.2 might allow remote attackers to execute arbitrary
code via Launcher tooltips.  NOTE: a second buffer overflow
(over-read) in the xfce_mkdirhier function was also reported, but it
might not be exploitable for a crash or code execution, so it is not a
vulnerability.

CVE-2007-6532
Double-free vulnerability in the Widget Library (libxfcegui4) in Xfce
before 4.4.2 might allow remote attackers to execute arbitrary code
via unknown vectors related to the "cliend id, program name and
working directory in session management."

Note You need to log in before you can comment on or make changes to this bug.