First Last Prev Next    No search results available      Search page      Enter new bug
Bug#: 182011
Alias:
Product:
Component:
Status: RESOLVED
Resolution: FIXED
Assigned To: Gentoo Security <security@gentoo.org>
Hardware:
OS:
Version:
Priority:
Severity:
Reporter: Peter Volkov <pva@gentoo.org>
Add CC:
CC:
Remove selected CCs
URL:
Summary:
Status Whiteboard:
Keywords:
Flags: Requestee:
 
 
  ()

Filename Description Type Creator Created Size Actions
Create a New Attachment (proposed patch, testcase, etc.) View All

Bug 182011 depends on: Show dependency tree
Bug 182011 blocks:

Additional Comments: (this is where you put emerge --info)


Not eligible to see or edit group visibility for this bug.






View Bug Activity   |   Format For Printing   |   XML   |   Clone This Bug

Description:   Opened: 2007-06-14 09:16 0000 
Original bug report: http://bugzilla.gnome.org/show_bug.cgi?id=447414

Just copying description from the upstream bug report:

==================================================
The "SEQUENCE" value in the GData of the IMAP code (camel-imap-folder.c) is
converted from a string using strtol. This allows for negative values.

The imap_rescan uses this value as an int. It checks for !seq and
seq>summary.length. It doesn't check for seq < 0. Although seq is used as the
index of an array.

This means that a negative index number can be fed to the array lookup by
altering the output of an IMAP server.

I'm marking this as a blocker (very very serious) security bug as this is
remotely exploitable (I can put shell code in the UID field of the IMAP code,
and make it execute on the victim's computer, as at the seq'd field of the
index a g_strdup of the UID is written to memory. By carefully calculating the
negative value and overwriting the instruction pointer near the array's start,
I can let it point to that memory and get it to execute).

I first informed the Camel authors about this bug, but they didn't respond
quickly enough (it has been months now). I hereby stop caring about the secrecy
of security bug reports and I do report it now.

This bug affects nearly all versions of Evolutions. It can be fixed by either
checking for seq < 0 or by using strtoul in stead of strtol.
==================================================

Both evolution-data-server-1.8.3-r4 and evolution-data-server-1.10.1-r2 are
affected. 1.6.x affected but should be removed from the tree at some point...
As soon as patches will be applied upstream, I'll do the same in our ebuilds.

------- Comment #1 From Sune Kloppenborg Jeppesen 2007-06-14 15:25:05 0000 ------- 
gnome please advise.

------- Comment #2 From Gilles Dartiguelongue 2007-06-14 15:32:28 0000 ------- 
it has been commited to trunk and stable, I guess we need to patch all our
versions of eds and stabilize them asap

------- Comment #3 From Daniel Gryniewicz 2007-06-14 17:38:40 0000 ------- 
Okay, bumps for e-d-s are in the tree.

Target keywords for 1.6.2-r1: alpha amd64 arm hppa ia64 ppc ppc64 sparc x86

target keywords for 1.8.3-r5: alpha amd64 ~arm hppa ia64 ppc ppc64 sparc x86
~x86-fbsd

------- Comment #4 From Sune Kloppenborg Jeppesen 2007-06-14 17:47:37 0000 ------- 
Thanks Daniel.

Arches please test and mark stable.

------- Comment #5 From Gustavo Zacarias (RETIRED) 2007-06-14 19:37:16 0000 ------- 
sparc stable.

------- Comment #6 From Tobias Scherbaum 2007-06-14 19:40:50 0000 ------- 
ppc stable

------- Comment #7 From Daniel Gryniewicz 2007-06-14 20:12:23 0000 ------- 
amd64 done.  (yay for having tested during the bump)

------- Comment #8 From Brent Baude 2007-06-14 21:01:46 0000 ------- 
ppc64 done

------- Comment #9 From Christian Faulhammer 2007-06-14 22:29:27 0000 ------- 
x86 stable

------- Comment #10 From Raúl Porcel 2007-06-15 10:57:54 0000 ------- 
alpha/ia64 stable

------- Comment #11 From Jeroen Roovers 2007-06-16 17:24:51 0000 ------- 
Stable for HPPA.

------- Comment #12 From Raphael Marichez 2007-07-05 23:10:56 0000 ------- 
GLSA 200707-03
First Last Prev Next    No search results available      Search page      Enter new bug