CVE-2008-3533
published 2008-08-18CVE-2008-3533: Format string vulnerability in the window_error function in yelp-window.c in yelp in Gnome after 2.19.90 and before 2.24 allows remote attackers to execute…
PriorityP263critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
19.39%
97.0th percentile
Format string vulnerability in the window_error function in yelp-window.c in yelp in Gnome after 2.19.90 and before 2.24 allows remote attackers to execute arbitrary code via format string specifiers in an invalid URI on the command line, as demonstrated by use of yelp within (1) man or (2) ghelp URI handlers in Firefox, Evolution, and unspecified other programs.
Affected
8 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | yelp | < yelp 2.22.1-4 (bookworm) | yelp 2.22.1-4 (bookworm) |
| gnome | gnome | — | — |
| gnome | gnome | — | — |
| gnome | yelp | < 2.24 | 2.24 |
| gnome | yelp | >= 0 < 2.22.1-4 | 2.22.1-4 |
| gnome | yelp | >= 0 < 2.22.1-4 | 2.22.1-4 |
| gnome | yelp | >= 0 < 2.22.1-4 | 2.22.1-4 |
| gnome | yelp | >= 0 < 2.22.1-4 | 2.22.1-4 |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor yelp process invocations where the URI argument contains printf-style format specifiers (e.g., %08x, %x, %n). These are the attack payload patterns demonstrated in the wild. ↗
- →Watch for yelp being launched via man:// or ghelp:// URI handlers from browser or email client processes (Firefox, Evolution), as these are the demonstrated delivery vectors. ↗
- →The vulnerable code path is the window_error function in yelp-window.c. On Fedora 9+, glibc detects the format string abuse and triggers a controlled application shutdown — a crash/abort of yelp can itself be an indicator of an exploitation attempt. ↗
- ·Affected yelp versions are strictly after 2.19.90 and before 2.24. Red Hat Enterprise Linux 3, 4, and 5 ship versions outside this range and are NOT affected. ↗
- ·On Fedora 9 and later, glibc's format-string protection limits the impact to a denial-of-service (crash) rather than arbitrary code execution. Fedora 8 is the primary code-execution risk among Fedora releases. ↗
CVSS provenance
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
osv10.0CRITICAL
vendor_debian10.0LOW
vendor_redhat10.0CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ubuntu
Yelp vulnerability
vendor_ubuntu·2008-08-27
CVE-2008-3533 Yelp vulnerability
Title: Yelp vulnerability
Summary: Yelp vulnerability
Aaron Grattafiori discovered that the Gnome Help Viewer did not
handle format strings correctly when displaying certain error messages.
If a user were tricked into opening a specially crafted URI, a remote
attacker could execute arbitrary code with user privileges.
Instructions: In general, a standard system upgrade is sufficient to effect the
necessary changes.
Red Hat
yelp: Invalid URI format string vulnerability (remote arbitrary code execution)
vendor_redhat·2008-08-11·CVSS 10.0
CVE-2008-3533 [CRITICAL] yelp: Invalid URI format string vulnerability (remote arbitrary code execution)
yelp: Invalid URI format string vulnerability (remote arbitrary code execution)
Format string vulnerability in the window_error function in yelp-window.c in yelp in Gnome after 2.19.90 and before 2.24 allows remote attackers to execute arbitrary code via format string specifiers in an invalid URI on the command line, as demonstrated by use of yelp within (1) man or (2) ghelp URI handlers in Firefox, Evolution, and unspecified other programs.
Statement: This issue does not affect the versions of the yelp package, as shipped with Red Hat Enterprise Linux 3, 4 and 5.
Debian
CVE-2008-3533: yelp - Format string vulnerability in the window_error function in yelp-window.c in yel...
vendor_debian·2008·CVSS 10.0
CVE-2008-3533 [CRITICAL] CVE-2008-3533: yelp - Format string vulnerability in the window_error function in yelp-window.c in yel...
Format string vulnerability in the window_error function in yelp-window.c in yelp in Gnome after 2.19.90 and before 2.24 allows remote attackers to execute arbitrary code via format string specifiers in an invalid URI on the command line, as demonstrated by use of yelp within (1) man or (2) ghelp URI handlers in Firefox, Evolution, and unspecified other programs.
Scope: local
bookworm: resolved (fixed in 2.22.1-4)
bullseye: resolved (fixed in 2.22.1-4)
forky: resolved (fixed in 2.22.1-4)
sid: resolved (fixed in 2.22.1-4)
trixie: resolved (fixed in 2.22.1-4)
GHSA
GHSA-4mh5-hw23-j38h: Format string vulnerability in the window_error function in yelp-window
ghsa_unreviewed·2022-05-02
CVE-2008-3533 [HIGH] CWE-134 GHSA-4mh5-hw23-j38h: Format string vulnerability in the window_error function in yelp-window
Format string vulnerability in the window_error function in yelp-window.c in yelp in Gnome after 2.19.90 and before 2.24 allows remote attackers to execute arbitrary code via format string specifiers in an invalid URI on the command line, as demonstrated by use of yelp within (1) man or (2) ghelp URI handlers in Firefox, Evolution, and unspecified other programs.
OSV
CVE-2008-3533: Format string vulnerability in the window_error function in yelp-window
osv·2008-08-18·CVSS 10.0
CVE-2008-3533 [CRITICAL] CVE-2008-3533: Format string vulnerability in the window_error function in yelp-window
Format string vulnerability in the window_error function in yelp-window.c in yelp in Gnome after 2.19.90 and before 2.24 allows remote attackers to execute arbitrary code via format string specifiers in an invalid URI on the command line, as demonstrated by use of yelp within (1) man or (2) ghelp URI handlers in Firefox, Evolution, and unspecified other programs.
No detection rules found.
http://bugzilla.gnome.org/attachment.cgi?id=115890http://bugzilla.gnome.org/show_bug.cgi?id=546364http://lists.opensuse.org/opensuse-security-announce/2008-11/msg00000.htmlhttp://secunia.com/advisories/31465http://secunia.com/advisories/31620http://secunia.com/advisories/31834http://secunia.com/advisories/32629http://www.mandriva.com/security/advisories?name=MDVSA-2008:175http://www.securityfocus.com/bid/30690http://www.ubuntu.com/usn/usn-638-1http://www.vupen.com/english/advisories/2008/2393https://bugs.launchpad.net/ubuntu/+source/yelp/+bug/254860https://exchange.xforce.ibmcloud.com/vulnerabilities/44449https://www.redhat.com/archives/fedora-package-announce/2008-September/msg00222.htmlhttp://bugzilla.gnome.org/attachment.cgi?id=115890http://bugzilla.gnome.org/show_bug.cgi?id=546364http://lists.opensuse.org/opensuse-security-announce/2008-11/msg00000.htmlhttp://secunia.com/advisories/31465http://secunia.com/advisories/31620http://secunia.com/advisories/31834http://secunia.com/advisories/32629http://www.mandriva.com/security/advisories?name=MDVSA-2008:175http://www.securityfocus.com/bid/30690http://www.ubuntu.com/usn/usn-638-1http://www.vupen.com/english/advisories/2008/2393https://bugs.launchpad.net/ubuntu/+source/yelp/+bug/254860https://exchange.xforce.ibmcloud.com/vulnerabilities/44449https://www.redhat.com/archives/fedora-package-announce/2008-September/msg00222.html
2008-08-18
Published