CVE-2007-2027
published 2007-04-13CVE-2007-2027: Untrusted search path vulnerability in the add_filename_to_string function in intl/gettext/loadmsgcat.c for Elinks 0.11.1 allows local users to cause Elinks to…
PriorityP412medium4.4CVSS 2.0
AVLACMAuNCPIPAP
EXPLOIT
EPSS
0.84%
53.3th percentile
Untrusted search path vulnerability in the add_filename_to_string function in intl/gettext/loadmsgcat.c for Elinks 0.11.1 allows local users to cause Elinks to use an untrusted gettext message catalog (.po file) in a "../po" directory, which can be leveraged to conduct format string attacks.
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | elinks | < elinks 0.11.1-1.4 (bookworm) | elinks 0.11.1-1.4 (bookworm) |
| elinks | elinks | — | — |
| elinks | elinks | >= 0 < 0.11.1-1.4 | 0.11.1-1.4 |
| elinks | elinks | >= 0 < 0.11.1-1.4 | 0.11.1-1.4 |
| elinks | elinks | >= 0 < 0.11.1-1.4 | 0.11.1-1.4 |
| elinks | elinks | >= 0 < 0.11.1-1.4 | 0.11.1-1.4 |
CVSS provenance
nvdv2.04.4MEDIUMAV:L/AC:M/Au:N/C:P/I:P/A:P
osv4.4MEDIUM
vendor_debian4.4LOW
vendor_redhat4.4MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-4f5h-wcj8-92w2: Untrusted search path vulnerability in the add_filename_to_string function in intl/gettext/loadmsgcat
ghsa_unreviewed·2022-05-01
CVE-2007-2027 [MEDIUM] CWE-134 GHSA-4f5h-wcj8-92w2: Untrusted search path vulnerability in the add_filename_to_string function in intl/gettext/loadmsgcat
Untrusted search path vulnerability in the add_filename_to_string function in intl/gettext/loadmsgcat.c for Elinks 0.11.1 allows local users to cause Elinks to use an untrusted gettext message catalog (.po file) in a "../po" directory, which can be leveraged to conduct format string attacks.
OSV
CVE-2007-2027: Untrusted search path vulnerability in the add_filename_to_string function in intl/gettext/loadmsgcat
osv·2007-04-13·CVSS 4.4
CVE-2007-2027 [MEDIUM] CVE-2007-2027: Untrusted search path vulnerability in the add_filename_to_string function in intl/gettext/loadmsgcat
Untrusted search path vulnerability in the add_filename_to_string function in intl/gettext/loadmsgcat.c for Elinks 0.11.1 allows local users to cause Elinks to use an untrusted gettext message catalog (.po file) in a "../po" directory, which can be leveraged to conduct format string attacks.
Ubuntu
elinks vulnerability
vendor_ubuntu·2007-05-07
CVE-2007-2027 elinks vulnerability
Title: elinks vulnerability
Summary: elinks vulnerability
Arnaud Giersch discovered that elinks incorrectly attempted to load
gettext catalogs from a relative path. If a user were tricked into
running elinks from a specific directory, a local attacker could execute
code with user privileges.
Instructions: In general, a standard system upgrade is sufficient to effect the
necessary changes.
Red Hat
elinks tries to load .po files from a non-absolute path
vendor_redhat·2007-04-04·CVSS 4.4
CVE-2007-2027 [MEDIUM] elinks tries to load .po files from a non-absolute path
elinks tries to load .po files from a non-absolute path
Untrusted search path vulnerability in the add_filename_to_string function in intl/gettext/loadmsgcat.c for Elinks 0.11.1 allows local users to cause Elinks to use an untrusted gettext message catalog (.po file) in a "../po" directory, which can be leveraged to conduct format string attacks.
Debian
CVE-2007-2027: elinks - Untrusted search path vulnerability in the add_filename_to_string function in in...
vendor_debian·2007·CVSS 4.4
CVE-2007-2027 [MEDIUM] CVE-2007-2027: elinks - Untrusted search path vulnerability in the add_filename_to_string function in in...
Untrusted search path vulnerability in the add_filename_to_string function in intl/gettext/loadmsgcat.c for Elinks 0.11.1 allows local users to cause Elinks to use an untrusted gettext message catalog (.po file) in a "../po" directory, which can be leveraged to conduct format string attacks.
Scope: local
bookworm: resolved (fixed in 0.11.1-1.4)
bullseye: resolved (fixed in 0.11.1-1.4)
forky: resolved (fixed in 0.11.1-1.4)
sid: resolved (fixed in 0.11.1-1.4)
trixie: resolved (fixed in 0.11.1-1.4)
No detection rules found.
Bugzilla
CVE-2007-2027 elinks tries to load .po files from a non-absolute path
bugzilla·2007-04-05·CVSS 4.4
CVE-2007-2027 [MEDIUM] CVE-2007-2027 elinks tries to load .po files from a non-absolute path
CVE-2007-2027 elinks tries to load .po files from a non-absolute path
Description of problem:
Arnaud Giersch discovered that the following chunk of code from
src/intl/gettext/loadmsgcat.c:add_filename_to_string() causes elinks
to read .po files fro man untrusted location.
215 if ((dirnamelen && !add_bytes_to_string(str, program.path, dirnamelen))
216 || !add_to_string(str, "../po/")
217 || !add_bytes_to_string(str,
An untrusted message catalog might lead to a format-string attack when an
attacker tricks user into launching links from a particular directory.
Version-Release number of selected component (if applicable):
Doesn't Affect: RHEL3
Affects: RHEL4
Affects: RHEL5
Affects: FC5
Affects: FC6
Additional info:
It is questionable who would launch elinks from a directory controlled
Bugzilla
CVE-2007-2027 elinks tries to load .po files from a non-absolute path
bugzilla·2007-04-05·CVSS 4.4
CVE-2007-2027 [MEDIUM] CVE-2007-2027 elinks tries to load .po files from a non-absolute path
CVE-2007-2027 elinks tries to load .po files from a non-absolute path
+++ This bug was initially created as a clone of Bug #235411 +++
Description of problem:
Arnaud Giersch discovered that the following chunk of code from
src/intl/gettext/loadmsgcat.c:add_filename_to_string() causes elinks
to read .po files fro man untrusted location.
215 if ((dirnamelen && !add_bytes_to_string(str, program.path, dirnamelen))
216 || !add_to_string(str, "../po/")
217 || !add_bytes_to_string(str,
An untrusted message catalog might lead to a format-string attack when an
attacker tricks user into launching links from a particular directory.
Version-Release number of selected component (if applicable):
Doesn't Affect: RHEL3
Affects: RHEL4
Affects: RHEL5
Affects: FC5
Affects: FC6
Additional info:
It is
CWE
Untrusted Search Path
mitre_cwe
CWE-426 Untrusted Search Path
CWE-426: Untrusted Search Path
The product searches for critical resources using an externally-supplied search path that can point to resources that are not under the product's direct control.
This might allow attackers to execute their own programs, access unauthorized data files, or modify configuration in unexpected ways. If the product uses a search path to locate critical resources such as programs, then an attacker could modify that search path to point to a malicious program, which the targeted product would then execute. The problem extends to any type of critical resource that the product trusts. Some of the most common variants of untrusted search path are: In various UNIX and Linux-based systems, the PATH environment variable may be consulted to locate executable programs, and
CAPEC
Format String Injection
mitre_capec
[HIGH] Format String Injection
CAPEC-135: Format String Injection
An adversary includes formatting characters in a string input field on the target application. Most applications assume that users will provide static text and may respond unpredictably to the presence of formatting character. For example, in certain functions of the C programming languages such as printf, the formatting character %s will print the contents of a memory location expecting this location to identify a string and the formatting character %n prints the number of DWORD written in the memory. An adversary can use this to read or write to memory locations or files, or simply to manipulate the value of the resulting text in unexpected ways. Reading or writing memory may result in program crashes and writing memory could result in the execution of
CWE
Use of Externally-Controlled Format String
mitre_cwe
CWE-134 Use of Externally-Controlled Format String
CWE-134: Use of Externally-Controlled Format String
The product uses a function that accepts a format string as an argument, but the format string originates from an external source.
Modes of Introduction:
Phase: Implementation
Note: The programmer rarely intends for a format string to be externally-controlled at all. This weakness is frequently introduced in code that constructs log messages, where a constant format string is omitted.
Phase: Implementation
Note: In cases such as localization and internationalization, the language-specific message repositories could be an avenue for exploitation, but the format string issue would be resultant, since attacker control of those repositories would also allow modification of message length, format, and content.
Common Consequences:
Scope: Co
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=417789http://osvdb.org/35668http://secunia.com/advisories/25169http://secunia.com/advisories/25198http://secunia.com/advisories/25255http://secunia.com/advisories/25550http://security.gentoo.org/glsa/glsa-200706-03.xmlhttp://www.securityfocus.com/bid/23844http://www.trustix.org/errata/2007/0017/http://www.ubuntu.com/usn/usn-457-1http://www.vupen.com/english/advisories/2007/1686https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=235411https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A9741http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=417789http://osvdb.org/35668http://secunia.com/advisories/25169http://secunia.com/advisories/25198http://secunia.com/advisories/25255http://secunia.com/advisories/25550http://security.gentoo.org/glsa/glsa-200706-03.xmlhttp://www.securityfocus.com/bid/23844http://www.trustix.org/errata/2007/0017/http://www.ubuntu.com/usn/usn-457-1http://www.vupen.com/english/advisories/2007/1686https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=235411https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A9741
2007-04-13
Published