Bug 7500 - netdomjoin-gui.c uses a string where a printf-style format string and arguments for the format string should be provided
Summary: netdomjoin-gui.c uses a string where a printf-style format string and argumen...
Status: RESOLVED FIXED
Alias: None
Product: Samba 3.5
Classification: Unclassified
Component: Client Tools (show other bugs)
Version: 3.5.3
Hardware: Other Linux
: P3 normal
Target Milestone: ---
Assignee: Karolin Seeger
QA Contact: Samba QA Contact
URL: http://svn.mandriva.com/cgi-bin/viewv...
Keywords:
Depends on:
Blocks:
 
Reported: 2010-06-08 04:06 UTC by Buchan Milne
Modified: 2010-06-09 08:42 UTC (History)
0 users

See Also:
jelmer: review+

Attachments
v3-5-test patch (port from master) (1.14 KB, patch)
2010-06-08 05:31 UTC, Guenther Deschner 		gd: review? (jelmer)
 Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Buchan Milne 2010-06-08 04:06:42 UTC 
According to http://library.gnome.org/devel/gtk/unstable/GtkMessageDialog.html#gtk-message-dialog-new , the 5th argument to gtk-message-dialog-new should be a printf-style format string, with the arguments following to be the arguments for the format string, however the code in netdomjoin-gui.c instead provides only the string.

When compiling with -Werror=format-security, this will fail (see http://wiki.mandriva.com/en/Development/Packaging/Problems#format_not_a_string_literal_and_no_format_arguments). While unlikely, this could be a vulnerability that could be exploited for privilege escalation (e.g., if otherwise unprivileged users are provided with a means to execute netdomjoin-gui as root, e.g. via sudo).
Comment 1 Guenther Deschner 2010-06-08 05:31:03 UTC 
Created attachment 5768 [details]
v3-5-test patch (port from master)
Comment 2 Guenther Deschner 2010-06-08 07:56:13 UTC 
Karolin, please pick for 3.5 and 3.4
Comment 3 Karolin Seeger 2010-06-09 08:42:15 UTC 
Pushed to v3-5-test and v3-4-test.
Closing out bug report.

Thanks!