According to http://library.gnome.org/devel/gtk/unstable/GtkMessageDialog.html#gtk-message-dialog-new , the 5th argument to gtk-message-dialog-new should be a printf-style format string, with the arguments following to be the arguments for the format string, however the code in netdomjoin-gui.c instead provides only the string. When compiling with -Werror=format-security, this will fail (see http://wiki.mandriva.com/en/Development/Packaging/Problems#format_not_a_string_literal_and_no_format_arguments). While unlikely, this could be a vulnerability that could be exploited for privilege escalation (e.g., if otherwise unprivileged users are provided with a means to execute netdomjoin-gui as root, e.g. via sudo).
Created attachment 5768 [details] v3-5-test patch (port from master)
Karolin, please pick for 3.5 and 3.4
Pushed to v3-5-test and v3-4-test. Closing out bug report. Thanks!