CVE-2007-2027 - OpenCVE

Untrusted search path vulnerability in the add_filename_to_string function in intl/gettext/loadmsgcat.c for Elinks 0.11.1 allows local users to cause Elinks to use an untrusted gettext message catalog (.po file) in a "../po" directory, which can be leveraged to conduct format string attacks.

No CVSS v3.1

No CVSS v3.0

Access Vector Local

Access Complexity Medium

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

AV:L/AC:M/Au:N/C:P/I:P/A:P

Vendors & Products
CPE Configurations

Vendors	Products
Elinks	Elinks

Configuration 1 [-]

cpe:2.3:a:elinks:elinks:0.11.1:*:*:*:*:*:*:*

References

Link	Resource
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=417789
http://osvdb.org/35668
http://secunia.com/advisories/25169	Vendor Advisory
http://secunia.com/advisories/25198	Vendor Advisory
http://secunia.com/advisories/25255	Vendor Advisory
http://secunia.com/advisories/25550	Vendor Advisory
http://security.gentoo.org/glsa/glsa-200706-03.xml
http://www.securityfocus.com/bid/23844
http://www.trustix.org/errata/2007/0017/
http://www.ubuntu.com/usn/usn-457-1
http://www.vupen.com/english/advisories/2007/1686	Vendor Advisory
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=235411	Exploit Vendor Advisory
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A9741

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: mitre

Published: 2007-04-13T18:00:00

Updated: 2017-10-10T00:57:01

Reserved: 2007-04-13T00:00:00

Link: CVE-2007-2027

JSON object: View

NVD Information

Status : Modified

Published: 2007-04-13T18:19:00.000

Modified: 2017-10-11T01:32:05.080

Link: CVE-2007-2027

JSON object: View

Redhat Information

No data.

CWE

CWE-134

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2007-04-05T00:00:00", "descriptions": [{"lang": "en", "value": "Untrusted search path vulnerability in the add_filename_to_string function in intl/gettext/loadmsgcat.c for Elinks 0.11.1 allows local users to cause Elinks to use an untrusted gettext message catalog (.po file) in a \"../po\" directory, which can be leveraged to conduct format string attacks."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2017-10-10T00:57:01", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"name": "25550", "tags": ["third-party-advisory", "x_refsource_SECUNIA"], "url": "http://secunia.com/advisories/25550"}, {"name": "2007-0017", "tags": ["vendor-advisory", "x_refsource_TRUSTIX"], "url": "http://www.trustix.org/errata/2007/0017/"}, {"name": "USN-457-1", "tags": ["vendor-advisory", "x_refsource_UBUNTU"], "url": "http://www.ubuntu.com/usn/usn-457-1"}, {"name": "25198", "tags": ["third-party-advisory", "x_refsource_SECUNIA"], "url": "http://secunia.com/advisories/25198"}, {"name": "ADV-2007-1686", "tags": ["vdb-entry", "x_refsource_VUPEN"], "url": "http://www.vupen.com/english/advisories/2007/1686"}, {"name": "35668", "tags": ["vdb-entry", "x_refsource_OSVDB"], "url": "http://osvdb.org/35668"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=235411"}, {"name": "oval:org.mitre.oval:def:9741", "tags": ["vdb-entry", "signature", "x_refsource_OVAL"], "url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A9741"}, {"name": "23844", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/23844"}, {"name": "25169", "tags": ["third-party-advisory", "x_refsource_SECUNIA"], "url": "http://secunia.com/advisories/25169"}, {"tags": ["x_refsource_CONFIRM"], "url": "http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=417789"}, {"name": "25255", "tags": ["third-party-advisory", "x_refsource_SECUNIA"], "url": "http://secunia.com/advisories/25255"}, {"name": "GLSA-200706-03", "tags": ["vendor-advisory", "x_refsource_GENTOO"], "url": "http://security.gentoo.org/glsa/glsa-200706-03.xml"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2007-2027", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Untrusted search path vulnerability in the add_filename_to_string function in intl/gettext/loadmsgcat.c for Elinks 0.11.1 allows local users to cause Elinks to use an untrusted gettext message catalog (.po file) in a \"../po\" directory, which can be leveraged to conduct format string attacks."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "25550", "refsource": "SECUNIA", "url": "http://secunia.com/advisories/25550"}, {"name": "2007-0017", "refsource": "TRUSTIX", "url": "http://www.trustix.org/errata/2007/0017/"}, {"name": "USN-457-1", "refsource": "UBUNTU", "url": "http://www.ubuntu.com/usn/usn-457-1"}, {"name": "25198", "refsource": "SECUNIA", "url": "http://secunia.com/advisories/25198"}, {"name": "ADV-2007-1686", "refsource": "VUPEN", "url": "http://www.vupen.com/english/advisories/2007/1686"}, {"name": "35668", "refsource": "OSVDB", "url": "http://osvdb.org/35668"}, {"name": "https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=235411", "refsource": "CONFIRM", "url": "https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=235411"}, {"name": "oval:org.mitre.oval:def:9741", "refsource": "OVAL", "url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A9741"}, {"name": "23844", "refsource": "BID", "url": "http://www.securityfocus.com/bid/23844"}, {"name": "25169", "refsource": "SECUNIA", "url": "http://secunia.com/advisories/25169"}, {"name": "http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=417789", "refsource": "CONFIRM", "url": "http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=417789"}, {"name": "25255", "refsource": "SECUNIA", "url": "http://secunia.com/advisories/25255"}, {"name": "GLSA-200706-03", "refsource": "GENTOO", "url": "http://security.gentoo.org/glsa/glsa-200706-03.xml"}]}}}}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2007-2027", "datePublished": "2007-04-13T18:00:00", "dateReserved": "2007-04-13T00:00:00", "dateUpdated": "2017-10-10T00:57:01", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:elinks:elinks:0.11.1:*:*:*:*:*:*:*", "matchCriteriaId": "4A59D584-A2D1-421B-BA8B-7EC4EC459B3F", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Untrusted search path vulnerability in the add_filename_to_string function in intl/gettext/loadmsgcat.c for Elinks 0.11.1 allows local users to cause Elinks to use an untrusted gettext message catalog (.po file) in a \"../po\" directory, which can be leveraged to conduct format string attacks."}, {"lang": "es", "value": "Una vulnerabilidad de ruta (path) de b\u00fasqueda no confiable en la funci\u00f3n add_filename_to_string en el archivo intl/gettext/loadmsgcat.c para Elinks versi\u00f3n 0.11.1, permite a usuarios locales causar que Elinks use un cat\u00e1logo de mensajes gettext no confiable (archivo .po) en un directorio \"../po\", que puede ser aprovechado para conducir ataques de cadena de formato."}], "evaluatorImpact": "An untrusted message catalog might lead to a format-string attack when an\r\nattacker tricks user into launching links from a particular directory.\r\n", "id": "CVE-2007-2027", "lastModified": "2017-10-11T01:32:05.080", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "LOCAL", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 4.4, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:L/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 3.4, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": true, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}]}, "published": "2007-04-13T18:19:00.000", "references": [{"source": "cve@mitre.org", "url": "http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=417789"}, {"source": "cve@mitre.org", "url": "http://osvdb.org/35668"}, {"source": "cve@mitre.org", "tags": ["Vendor Advisory"], "url": "http://secunia.com/advisories/25169"}, {"source": "cve@mitre.org", "tags": ["Vendor Advisory"], "url": "http://secunia.com/advisories/25198"}, {"source": "cve@mitre.org", "tags": ["Vendor Advisory"], "url": "http://secunia.com/advisories/25255"}, {"source": "cve@mitre.org", "tags": ["Vendor Advisory"], "url": "http://secunia.com/advisories/25550"}, {"source": "cve@mitre.org", "url": "http://security.gentoo.org/glsa/glsa-200706-03.xml"}, {"source": "cve@mitre.org", "url": "http://www.securityfocus.com/bid/23844"}, {"source": "cve@mitre.org", "url": "http://www.trustix.org/errata/2007/0017/"}, {"source": "cve@mitre.org", "url": "http://www.ubuntu.com/usn/usn-457-1"}, {"source": "cve@mitre.org", "tags": ["Vendor Advisory"], "url": "http://www.vupen.com/english/advisories/2007/1686"}, {"source": "cve@mitre.org", "tags": ["Exploit", "Vendor Advisory"], "url": "https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=235411"}, {"source": "cve@mitre.org", "url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A9741"}], "sourceIdentifier": "cve@mitre.org", "vendorComments": [{"comment": "This issue affected Red Hat Enterprise Linux 4 and 5. Update packages were released to correct it via: http://rhn.redhat.com/errata/RHSA-2009-1471.html", "lastModified": "2009-10-02T00:00:00", "organization": "Red Hat"}], "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-134"}], "source": "nvd@nist.gov", "type": "Primary"}]}