A format string flaw was found in the way Thunar file manager used to copy / move files with % formatters in their name. A remote attacker could provide a specially-crafted file and trick the local victim into copying / moving it via Thunar, leading to Thunar executable crash or, possibly, arbitrary code execution with the privileges of the user running Thunar. Issue severity note: ==================== The FORTIFY_SOURCE feature would mitigate the impact of this flaw to be crash only on particular Fedora versions. Upstream patch: [1] http://git.xfce.org/xfce/thunar/commit/?id=03dd312e157d4fa8a11d5fa402706ae5b05806fa References: [2] http://www.openwall.com/lists/oss-security/2011/04/15/4 [3] http://www.openwall.com/lists/oss-security/2011/04/15/5 [4] http://www.openwall.com/lists/oss-security/2011/04/15/6 [5] http://www.openwall.com/lists/oss-security/2011/04/18/6
This issue did NOT affect the versions of the Thunar package, as shipped with Fedora release of 13 and 14 (those versions do not contain the flaw relevant functionality yet). This issue affects the versions of Thunar package, as scheduled to appear in Fedora release of 15 (Thunar-1.2.1-5.fc15) and as present in Rawhide (Thunar-1.3.0-3.fc16). Please schedule an update of those.
Working on that.
(In reply to comment #1) > This issue affects the versions of Thunar package, as scheduled > to appear in Fedora release of 15 (Thunar-1.2.1-5.fc15) This is not correct, as written in the first mail the fix is already in 1.2.1. It's also mentioned in /usr/share/doc/Thunar-1.2.1/NEWS 1.2.1 ===== - Paste files in correct order (bug #6504). - Fix truncated strings when loading and storing emblems (bug #7171). - Only erase top-level items from trash (bug #7147). - Don't interpret file display names as format strings (bug #7128). > and as present in Rawhide (Thunar-1.3.0-3.fc16). Please schedule > an update of those. Fixed in http://koji.fedoraproject.org/koji/taskinfo?taskID=3014396