From owner-freebsd-gnome@FreeBSD.ORG Fri Dec 26 17:10:03 2008 Return-Path: Delivered-To: gnome@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id BAF951065677; Fri, 26 Dec 2008 17:10:01 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 998668FC0C; Fri, 26 Dec 2008 17:10:01 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.14.3/8.14.3) with ESMTP id mBQHA1tx099226; Fri, 26 Dec 2008 17:10:01 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.3/8.14.3/Submit) id mBQHA16r099225; Fri, 26 Dec 2008 17:10:01 GMT (envelope-from gnats) Resent-Date: Fri, 26 Dec 2008 17:10:01 GMT Resent-Message-Id: <200812261710.mBQHA16r099225@freefall.freebsd.org> Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer) Resent-To: freebsd-ports-bugs@FreeBSD.org Resent-Cc: gnome@FreeBSD.org Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org, Eygene Ryabinkin Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id BA440106564A for ; Fri, 26 Dec 2008 17:00:02 +0000 (UTC) (envelope-from rea-fbsd@codelabs.ru) Received: from 0.mx.codelabs.ru (0.mx.codelabs.ru [144.206.177.45]) by mx1.freebsd.org (Postfix) with ESMTP id 6C5368FC1E for ; Fri, 26 Dec 2008 17:00:02 +0000 (UTC) (envelope-from rea-fbsd@codelabs.ru) Received: from shadow.codelabs.ru (shadow.codelabs.ru [144.206.177.8]) by 0.mx.codelabs.ru with esmtps (TLSv1:CAMELLIA256-SHA:256) id 1LGG2b-000Naq-Di for FreeBSD-gnats-submit@freebsd.org; Fri, 26 Dec 2008 20:00:01 +0300 Received: by shadow.codelabs.ru (Postfix, from userid 1001) id 326B31711E; Fri, 26 Dec 2008 20:00:02 +0300 (MSK) Message-Id: <20081226170002.326B31711E@shadow.codelabs.ru> Date: Fri, 26 Dec 2008 20:00:02 +0300 (MSK) From: Eygene Ryabinkin To: FreeBSD-gnats-submit@FreeBSD.org X-Send-Pr-Version: 3.113 X-GNATS-Notify: gnome@FreeBSD.org Cc: Subject: ports/129959: [patch] [vuxml] net/vinagre: fix security issue and update to 0.5.2 X-BeenThere: freebsd-gnome@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Eygene Ryabinkin List-Id: GNOME for FreeBSD -- porting and maintaining List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 26 Dec 2008 17:10:03 -0000 >Number: 129959 >Category: ports >Synopsis: [patch] [vuxml] net/vinagre: fix security issue and update to 0.5.2 >Confidential: no >Severity: serious >Priority: high >Responsible: freebsd-ports-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Fri Dec 26 17:10:01 UTC 2008 >Closed-Date: >Last-Modified: >Originator: Eygene Ryabinkin >Release: FreeBSD 7.1-PRERELEASE amd64 >Organization: Code Labs >Environment: System: FreeBSD 7.1-PRERELEASE amd64 >Description: CORE Security Technologies informed about vulnerability in vinagre: ----- A format string error has been found on the 'vinagre_utils_show_error()' function that can be exploited via commands issued from a malicious server containing format string specifiers on the VNC name. In a web based attack scenario, the user would be required to connect to a malicious server. Successful exploitation would then allow the attacker to execute arbitrary code with the privileges of the Vinagre user. ----- Advisory says about 2.24.2 as the first non-vulnerable version. The update to the branch 2.24 were made at 05 Dec 2008. The corresponding update to the 0.5 branch were made at 05 Dec 2008 and the new version is 0.5.2. Fix for 2.24 is here: http://svn.gnome.org/viewvc/vinagre/branches/gnome-2-24/src/vinagre-utils.c?r1=490&r2=525&view=patch Fix for 0.5.2 was merged from branch gnome-2-22: http://svn.gnome.org/viewvc/vinagre/tags/VINAGRE_0_5_2/src/vinagre-utils.c?view=log And the fix for branch gnome-2-22, http://svn.gnome.org/viewvc/vinagre/branches/gnome-2-22/src/vinagre-utils.c?r1=252&r2=528&pathrev=528 is the same as for 2.24. >How-To-Repeat: http://www.coresecurity.com/content/vinagre-format-string http://ftp.gnome.org/pub/GNOME/sources/vinagre/0.5/vinagre-0.5.2.news http://ftp.gnome.org/pub/GNOME/sources/vinagre/2.24/vinagre-2.24.2.news >Fix: The following patch updates the port to 0.5.2 thus fixing the security issue: --- update-to-0.5.2.diff begins here --- >From 92848964e91e45011537456d4424c5968313cac2 Mon Sep 17 00:00:00 2001 From: Eygene Ryabinkin Date: Fri, 26 Dec 2008 19:41:40 +0300 0.5.2 fixes security issue discovered by CORE Security Technologies: http://www.coresecurity.com/content/vinagre-format-string http://ftp.gnome.org/pub/GNOME/sources/vinagre/0.5/vinagre-0.5.2.news Signed-off-by: Eygene Ryabinkin --- net/vinagre/Makefile | 3 +-- net/vinagre/distinfo | 6 +++--- 2 files changed, 4 insertions(+), 5 deletions(-) diff --git a/net/vinagre/Makefile b/net/vinagre/Makefile index f4dad51..661184c 100644 --- a/net/vinagre/Makefile +++ b/net/vinagre/Makefile @@ -7,8 +7,7 @@ # PORTNAME= vinagre -PORTVERSION= 0.5.1 -PORTREVISION= 3 +PORTVERSION= 0.5.2 CATEGORIES= net gnome MASTER_SITES= ${MASTER_SITE_GNOME} MASTER_SITE_SUBDIR= sources/${PORTNAME}/${PORTVERSION:C/^([0-9]+\.[0-9]+).*/\1/} diff --git a/net/vinagre/distinfo b/net/vinagre/distinfo index ffe1f67..e8cb385 100644 --- a/net/vinagre/distinfo +++ b/net/vinagre/distinfo @@ -1,3 +1,3 @@ -MD5 (gnome2/vinagre-0.5.1.tar.bz2) = 48e0079631952216743720fa1c59f621 -SHA256 (gnome2/vinagre-0.5.1.tar.bz2) = 971d32e74b553a68babfed14bedb1118c9882e1f1e5614889ec6f0795885e2a3 -SIZE (gnome2/vinagre-0.5.1.tar.bz2) = 1048927 +MD5 (gnome2/vinagre-0.5.2.tar.bz2) = abf277899e28ec9beea9a2f7c331267d +SHA256 (gnome2/vinagre-0.5.2.tar.bz2) = b45f084343ad892bc303e2d0dada186d588ae6f0ccc419340024a2533e5a775b +SIZE (gnome2/vinagre-0.5.2.tar.bz2) = 1031512 -- 1.6.0.6 --- update-to-0.5.2.diff ends here --- The following VuXML entry should be evaluated and added: --- vuln.xml begins here --- vinagre -- format string vulnerability vinagre 0.5.2

CORE Security Technologies reports:

A format string error has been found on the vinagre_utils_show_error() function that can be exploited via commands issued from a malicious server containing format string specifiers on the VNC name.

In a web based attack scenario, the user would be required to connect to a malicious server. Successful exploitation would then allow the attacker to execute arbitrary code with the privileges of the Vinagre user.

 32682 http://www.coresecurity.com/content/vinagre-format-string http://ftp.gnome.org/pub/GNOME/sources/vinagre/0.5/vinagre-0.5.2.news 09-12-2008 TODAY --- vuln.xml ends here --- >Release-Note: >Audit-Trail: >Unformatted: