CVE-2007-2027 - Untrusted search path vulnerability in the add_filename_to_string function in intl/gettext/loadmsgca

CVE-2007-2027

Summary

Untrusted search path vulnerability in the add_filename_to_string function in intl/gettext/loadmsgcat.c for Elinks 0.11.1 allows local users to cause Elinks to use an untrusted gettext message catalog (.po file) in a "../po" directory, which can be leveraged to conduct format string attacks. An untrusted message catalog might lead to a format-string attack when an attacker tricks user into launching links from a particular directory.

References

Vulnerable Configurations

cpe:2.3:a:elinks:elinks:0.11.1:*:*:*:*:*:*:*
cpe:2.3:a:elinks:elinks:0.11.1:*:*:*:*:*:*:*

CVSS

Base:	4.4 (as of 11-10-2017 - 01:32)
Impact:
Exploitability:

CWE

CWE-134

CAPEC

String Format Overflow in syslog()
This attack targets the format string vulnerabilities in the syslog() function. An attacker would typically inject malicious input in the format string parameter of the syslog function. This is a common problem, and many public vulnerabilities and associated exploits have been posted.
Format String Injection
An adversary includes formatting characters in a string input field on the target application. Most applications assume that users will provide static text and may respond unpredictably to the presence of formatting character. For example, in certain functions of the C programming languages such as printf, the formatting character %s will print the contents of a memory location expecting this location to identify a string and the formatting character %n prints the number of DWORD written in the memory. An adversary can use this to read or write to memory locations or files, or simply to manipulate the value of the resulting text in unexpected ways. Reading or writing memory may result in program crashes and writing memory could result in the execution of arbitrary code if the adversary can write to the program stack.

Access

Vector	Complexity	Authentication
LOCAL	MEDIUM	NONE

Impact

Confidentiality	Integrity	Availability
PARTIAL	PARTIAL	PARTIAL

cvss-vector via4

AV:L/AC:M/Au:N/C:P/I:P/A:P

oval via4

accepted

2013-04-29T04:21:46.799-04:00

class

vulnerability

contributors

name Aharon Chernin
organization SCAP.com, LLC
name Dragos Prisaca
organization G2, Inc.

definition_extensions

comment The operating system installed on the system is Red Hat Enterprise Linux 4
oval oval:org.mitre.oval:def:11831
comment CentOS Linux 4.x
oval oval:org.mitre.oval:def:16636
comment Oracle Linux 4.x
oval oval:org.mitre.oval:def:15990
comment The operating system installed on the system is Red Hat Enterprise Linux 5
oval oval:org.mitre.oval:def:11414
comment The operating system installed on the system is CentOS Linux 5.x
oval oval:org.mitre.oval:def:15802
comment Oracle Linux 5.x
oval oval:org.mitre.oval:def:15459

description

family

unix

oval:org.mitre.oval:def:9741

status

accepted

submitted

2010-07-09T03:56:16-04:00

title

version

redhat via4

rpms

elinks-0:0.11.1-6.el5_4.1
elinks-0:0.9.2-4.el4_8.1
elinks-debuginfo-0:0.11.1-6.el5_4.1
elinks-debuginfo-0:0.9.2-4.el4_8.1

refmap via4

bid	23844
confirm	http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=417789 https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=235411
gentoo	GLSA-200706-03
osvdb	35668
secunia	25169 25198 25255 25550
trustix	2007-0017
ubuntu	USN-457-1
vupen	ADV-2007-1686

statements via4

contributor	Mark J Cox
lastmodified	2009-10-02
organization	Red Hat
statement	This issue affected Red Hat Enterprise Linux 4 and 5. Update packages were released to correct it via: http://rhn.redhat.com/errata/RHSA-2009-1471.html

Last major update

11-10-2017 - 01:32

Published

13-04-2007 - 18:19

Last modified

11-10-2017 - 01:32