182011 2007-06-14 09:16 0000 gnome-extra/evolution-data-server - Security bug in Camel's IMAP provider (CVE-2007-3257) 2007-08-25 22:11:01 0000 1 1 1 Unclassified Gentoo Security Vulnerabilities unspecified All Linux RESOLVED FIXED http://bugzilla.gnome.org/show_bug.cgi?id=447414 B2? [glsa] P2 normal --- 1 pva@gentoo.org security@gentoo.org gnome@gentoo.org pva@gentoo.org 2007-06-14 09:16:57 0000 Original bug report: http://bugzilla.gnome.org/show_bug.cgi?id=447414 Just copying description from the upstream bug report: ================================================== The "SEQUENCE" value in the GData of the IMAP code (camel-imap-folder.c) is converted from a string using strtol. This allows for negative values. The imap_rescan uses this value as an int. It checks for !seq and seq>summary.length. It doesn't check for seq < 0. Although seq is used as the index of an array. This means that a negative index number can be fed to the array lookup by altering the output of an IMAP server. I'm marking this as a blocker (very very serious) security bug as this is remotely exploitable (I can put shell code in the UID field of the IMAP code, and make it execute on the victim's computer, as at the seq'd field of the index a g_strdup of the UID is written to memory. By carefully calculating the negative value and overwriting the instruction pointer near the array's start, I can let it point to that memory and get it to execute). I first informed the Camel authors about this bug, but they didn't respond quickly enough (it has been months now). I hereby stop caring about the secrecy of security bug reports and I do report it now. This bug affects nearly all versions of Evolutions. It can be fixed by either checking for seq < 0 or by using strtoul in stead of strtol. ================================================== Both evolution-data-server-1.8.3-r4 and evolution-data-server-1.10.1-r2 are affected. 1.6.x affected but should be removed from the tree at some point... As soon as patches will be applied upstream, I'll do the same in our ebuilds. jaervosz@gentoo.org 2007-06-14 15:25:05 0000 gnome please advise. eva@gentoo.org 2007-06-14 15:32:28 0000 it has been commited to trunk and stable, I guess we need to patch all our versions of eds and stabilize them asap dang@gentoo.org 2007-06-14 17:38:40 0000 Okay, bumps for e-d-s are in the tree. Target keywords for 1.6.2-r1: alpha amd64 arm hppa ia64 ppc ppc64 sparc x86 target keywords for 1.8.3-r5: alpha amd64 ~arm hppa ia64 ppc ppc64 sparc x86 ~x86-fbsd jaervosz@gentoo.org 2007-06-14 17:47:37 0000 Thanks Daniel. Arches please test and mark stable. gustavoz@gentoo.org 2007-06-14 19:37:16 0000 sparc stable. dertobi123@gentoo.org 2007-06-14 19:40:50 0000 ppc stable dang@gentoo.org 2007-06-14 20:12:23 0000 amd64 done. (yay for having tested during the bump) ranger@gentoo.org 2007-06-14 21:01:46 0000 ppc64 done fauli@gentoo.org 2007-06-14 22:29:27 0000 x86 stable armin76@gentoo.org 2007-06-15 10:57:54 0000 alpha/ia64 stable jer@gentoo.org 2007-06-16 17:24:51 0000 Stable for HPPA. falco@gentoo.org 2007-07-05 23:10:56 0000 GLSA 200707-03