170879 2007-03-14 14:05 0000 mail-client/evolution format string error (CVE-2007-1002) 2007-06-06 21:00:02 0000 1 Unclassified Gentoo Security Vulnerabilities unspecified All Linux RESOLVED FIXED A2 [glsa] P2 major --- 171107 1 jaervosz@gentoo.org security@gentoo.org gnome-office@gentoo.org liquidx@gentoo.org jaervosz@gentoo.org 2007-03-14 14:05:21 0000 A format string error in the "write_html()" function in calendar/gui/e- cal-component-memo-preview.c when displaying a memo's categories can potentially be exploited to execute arbitrary code via a specially crafted shared memo containing format specifiers. jaervosz@gentoo.org 2007-03-14 14:06:48 0000 Btw please credit Ulf Härnhammar,Secunia. jaervosz@gentoo.org 2007-03-14 14:08:11 0000 Created an attachment (id=113257) evo.diff Patch by Harish Krishnaswamy, SUSE falco@gentoo.org 2007-03-15 21:15:16 0000 Thanks for the report, but if we CC the maintainer this will certainly be better :) jaervosz@gentoo.org 2007-03-25 06:54:14 0000 *** Bug 171679 has been marked as a duplicate of this bug. *** pva@gentoo.org 2007-04-01 18:07:13 0000 Thank you for report Sune. But I have a question. Where did you get the patch from? Looking in upstream CVS I found the following commit to fix this issue: http://svn.gnome.org/viewcvs/evolution/branches/gnome-2-18/calendar/gui/e-cal-component-memo-preview.c?r1=33312&r2=33343 Also ubuntu patch which I got from http://secunia.com/advisories/24651 has the same fix. pva@gentoo.org 2007-04-22 09:50:31 0000 This is fixed in >=evolution-2.8.3-r2 which should be stabilized together with gnome-2.16.3. leio@gentoo.org 2007-06-02 03:08:32 0000 evolution-2.8.3-r2 is stable on all supported arches now. falco@gentoo.org 2007-06-06 21:00:02 0000 GLSA 200706-02, thanks verybody 113257 2007-03-14 14:08 0000 evo.diff evo.diff text/plain SW5kZXg6IGNhbGVuZGFyL2d1aS9lLWNhbC1jb21wb25lbnQtbWVtby1wcmV2aWV3LmMKPT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PQotLS0gY2FsZW5kYXIvZ3VpL2UtY2FsLWNvbXBvbmVudC1tZW1vLXByZXZpZXcuYwkocmV2 aXNpb24gMzMyODEpCisrKyBjYWxlbmRhci9ndWkvZS1jYWwtY29tcG9uZW50LW1lbW8tcHJldmll dy5jCSh3b3JraW5nIGNvcHkpCkBAIC0xMzgsNyArMTM4LDYgQEAKIAlFQ2FsQ29tcG9uZW50RGF0 ZVRpbWUgZHQ7CiAJZ2NoYXIgKnN0cjsKIAlHU0xpc3QgKmw7Ci0JZ2Jvb2xlYW4gb25lX2FkZGVk ID0gRkFMU0U7CiAKIAlnX3JldHVybl9pZl9mYWlsIChFX0lTX0NBTF9DT01QT05FTlQgKGNvbXAp KTsKIApAQCAtMTU4LDkgKzE1Nyw3IEBACiAJZV9jYWxfY29tcG9uZW50X2dldF9jYXRlZ29yaWVz X2xpc3QgKGNvbXAsICZsKTsKIAlpZiAobCkgewogCQlHU0xpc3QgKm5vZGU7Ci0JCUdTdHJpbmcg KnN0cmluZyA9IGdfc3RyaW5nX25ldyAoTlVMTCk7CiAJCQotCQkKIAkJZ3RrX2h0bWxfc3RyZWFt X3ByaW50ZihzdHJlYW0sICI8SDM+Q2F0ZWdvcmllczogIik7CiAKIAkJZm9yIChub2RlID0gbDsg bm9kZSAhPSBOVUxMOyBub2RlID0gbm9kZS0+bmV4dCkgewpAQCAtMTcyLDIzICsxNjksMTEgQEAK IAkJCQlndGtfaHRtbF9zdHJlYW1fcHJpbnRmIChzdHJlYW0sICI8SU1HIEFMVD1cIiVzXCIgU1JD PVwiJXNcIj4iLAogCQkJCQkJCShjb25zdCBjaGFyICopIG5vZGUtPmRhdGEsIGljb25fZmlsZV91 cmkpOwogCQkJCWdfZnJlZSAoaWNvbl9maWxlX3VyaSk7Ci0JCQkJb25lX2FkZGVkID0gVFJVRTsK IAkJCX0KLQkJCWVsc2V7Ci0JCQkJaWYob25lX2FkZGVkID09IEZBTFNFKXsKLQkJCQkJZ19zdHJp bmdfYXBwZW5kX3ByaW50ZiAoc3RyaW5nLCAiJXMiLCAoY29uc3QgY2hhciAqKSBub2RlLT5kYXRh KTsKLQkJCQkJb25lX2FkZGVkID0gVFJVRTsKLQkJCQl9Ci0JCQkJZWxzZXsKLQkJCQkJZ19zdHJp bmdfYXBwZW5kX3ByaW50ZiAoc3RyaW5nLCAiLCAlcyIsIChjb25zdCBjaGFyICopIG5vZGUtPmRh dGEpOwotCQkJCX0KLQkJCX0KKwkJCWVsc2UKKwkJCQlndGtfaHRtbF9zdHJlYW1fcHJpbnRmIChz dHJlYW0sICIlcyAiLCAoY29uc3QgY2hhciAqKSBub2RlLT5kYXRhKTsKIAkJfQogCQkKLQkJZ3Rr X2h0bWxfc3RyZWFtX3ByaW50ZihzdHJlYW0sIHN0cmluZy0+c3RyKTsKLQotCQlnX3N0cmluZ19m cmVlIChzdHJpbmcsIFRSVUUpOwotCQogCQlndGtfaHRtbF9zdHJlYW1fcHJpbnRmKHN0cmVhbSwg IjwvSDM+Iik7CiAKIAkJZV9jYWxfY29tcG9uZW50X2ZyZWVfY2F0ZWdvcmllc19saXN0IChsKTsK