This was already fixed in 1.10.1-r3, but it got accidentally lost in 1.10.2, which has now been stable for about a month now. Upstream includes this fix in 1.10.3.1, which I will commit to the tree soon. I advise speedy stabilization of it once in the tree. +++ This bug was initially created as a clone of Bug #182011 +++ Original bug report: http://bugzilla.gnome.org/show_bug.cgi?id=447414 Just copying description from the upstream bug report: ================================================== The "SEQUENCE" value in the GData of the IMAP code (camel-imap-folder.c) is converted from a string using strtol. This allows for negative values. The imap_rescan uses this value as an int. It checks for !seq and seq>summary.length. It doesn't check for seq < 0. Although seq is used as the index of an array. This means that a negative index number can be fed to the array lookup by altering the output of an IMAP server. I'm marking this as a blocker (very very serious) security bug as this is remotely exploitable (I can put shell code in the UID field of the IMAP code, and make it execute on the victim's computer, as at the seq'd field of the index a g_strdup of the UID is written to memory. By carefully calculating the negative value and overwriting the instruction pointer near the array's start, I can let it point to that memory and get it to execute). I first informed the Camel authors about this bug, but they didn't respond quickly enough (it has been months now). I hereby stop caring about the secrecy of security bug reports and I do report it now. This bug affects nearly all versions of Evolutions. It can be fixed by either checking for seq < 0 or by using strtoul in stead of strtol. ================================================== Both evolution-data-server-1.8.3-r4 and evolution-data-server-1.10.1-r2 are affected. 1.6.x affected but should be removed from the tree at some point... As soon as patches will be applied upstream, I'll do the same in our ebuilds.
gnome-extra/evolution-data-server-1.10.3.1 is in the tree now, which includes the imap overflow fix in the upstream tarball already. It also includes patches from bugs #133504 and #175516 and the usual bug fixes, leak fixes and so on included between 1.10.2 and 1.10.3.1 releases. Target arches are alpha, amd64, arm, hppa, ia64, ppc, sparc, x86. ppc64 currently has no stable 1.10.x yet and is not affected in the stable tree, will add a note to the GNOME-2.18 stabilization bug to go for evolution-data-server-1.10.3.1 instead, if you agree with this for the rest of the arches. Security team, please feel free to CC the arches if you agree on the quick stabilization for this security issue.
(In reply to comment #1) > Target arches are alpha, amd64, arm, hppa, ia64, ppc, sparc, x86. > ppc64 currently has no stable 1.10.x yet and is not affected in the stable > tree, will add a note to the GNOME-2.18 stabilization bug to go for > evolution-data-server-1.10.3.1 instead, if you agree with this for the rest of > the arches. > Security team, please feel free to CC the arches if you agree on the quick > stabilization for this security issue. Well, we don't have much choices here :) arches, please test and mark stable gnome-extra/evolution-data-server-1.10.3.1.
Sparc stable.
Stable for HPPA.
amd64/x86 done...
ppc stable
alpha/ia64 stable
glsa request filed.
GLSA 200711-04, sorry for the delay.
