Bug 124826 - mail-client/evolution - DoS on certain email content (CVE-2006-0040)
Bug#: 124826 Product:  Gentoo Security Version: unspecified Platform: All
OS/Version: Linux Status: RESOLVED Severity: normal Priority: P2
Resolution: FIXED Assigned To: security@gentoo.org Reported By: carlo@gentoo.org
Component: Vulnerabilities
URL:  http://bugzilla.gnome.org/show_bug.cgi?id=337439
Summary: mail-client/evolution - DoS on certain email content (CVE-2006-0040)
Keywords:  
Status Whiteboard: A3? [glsa]
Opened: 2006-03-03 10:13 0000
Description:   Opened: 2006-03-03 10:13 0000 
http://www.derkeiler.com/Mailing-Lists/securityfocus/bugtraq/2006-03/msg00022.html

------- Comment #1 From Thierry Carrez (RETIRED) 2006-03-03 10:31:02 0000 ------- 
Waiting on upstream...

------- Comment #2 From Thierry Carrez (RETIRED) 2006-03-11 03:11:01 0000 ------- 
Can't find a reference upstream. Gnome team, could you check and maybe file a
bug in the unlikely case there isn't one ?

------- Comment #3 From Matthias Geerdsen 2006-03-23 12:42:12 0000 ------- 
maybe linked to/the same as bug 127323 ?

------- Comment #4 From Thierry Carrez (RETIRED) 2006-04-09 09:28:17 0000 ------- 
It's apparently not the same... but that doesn't help.

------- Comment #5 From Jory A. Pratt 2006-05-17 18:15:00 0000 ------- 
This was not a direct issue to evolution, it is related to gtkhtml, the bug
should push forward to and see about marking 3.10.1 or a slightly older version
stable.

------- Comment #6 From Jory A. Pratt 2006-05-17 18:50:50 0000 ------- 
Url is to upstream bug report.

------- Comment #7 From Daniel Gryniewicz 2006-05-17 19:05:58 0000 ------- 
Trying this on 3.11.1 (current development version of gtkhtml), it took ~1
minute to render, and took ~650MB of RAM.  I'd say that nothing has changed,
and the original reporter had <512MB of RAM.  That would swap pretty hard, and
make your system fairly unusable.

------- Comment #8 From Sune Kloppenborg Jeppesen 2006-09-05 05:52:51 0000 ------- 
gnome-office, according to the CVE and Secunia entries 2.6.2 is not affected by
this. Please advise.

------- Comment #9 From Sune Kloppenborg Jeppesen 2006-09-13 23:04:33 0000 ------- 
Any news on this one?

------- Comment #10 From Sune Kloppenborg Jeppesen 2006-09-26 09:17:50 0000 ------- 
Any news on this one?

------- Comment #11 From Peter Volkov 2007-02-25 10:17:14 0000 ------- 
Sune: I'm not from gnome-office but... This is not bug in evolution itself but
in GTKHTML renderer which reproduces perfectly in gtkhtml-3.12.3. Influence of
this bug can be reproduced in evolution-2.8.3 and I do not see any reasons why
this could not be reproduced in evolution-2.6.2. At least I can remember
messages which could eat whole memory and crash evolution in the same way as
described. I do not know where do people took "affected evolution versions".
I think that workaround suggested in gnome bugzilla should be applied. But
currently that patch does not work here and I wait their response on comment
#24 in gnome bugzilla... Also it's very interesting what redhat has in their
bugzilla but I do not have access there.

------- Comment #12 From Raphael Marichez 2007-03-09 22:00:03 0000 ------- 
Thanks Volkov... do you think this bug is still relevant or obsolete now?

------- Comment #13 From Peter Volkov 2007-03-13 05:28:13 0000 ------- 
This issue still is not fixed so it's still relevant. Upstream patch is not
working here as it should. I've contacted Srinivasa Ragavan, author of that
patch and he answered:

"I am currently OOF/Town. I will get back to you in a weeks time."

So again, waiting upstream...

------- Comment #14 From Raphael Marichez 2007-03-14 00:21:14 0000 ------- 
(In reply to comment #13)
> This issue still is not fixed so it's still relevant. Upstream patch is not
> working here as it should. I've contacted Srinivasa Ragavan, author of that
> patch and he answered:
> 
> "I am currently OOF/Town. I will get back to you in a weeks time."
> 
> So again, waiting upstream...
> 

alright. I'll ping again within some weeks.

------- Comment #15 From Peter Volkov 2007-03-16 09:48:18 0000 ------- 
Well. I've received explanations:

That patch checks for on-disk letter size instead of rendered in-memory. So
actually patch works but it does not prevents all possible out-of-memory
conditions which could occur during letter rendering with gtkhtml...

To fix this bug. Hm... Of course proper fix should be applied to gtkhtml
library. But I do not have currently time to delve into that library thus I
suggest just to follow upstream and apply patch they think fix the issue.

------- Comment #16 From Peter Volkov 2007-03-16 09:49:29 0000 ------- 
Created an attachment (id=113451) [details]
Upstream patch.

------- Comment #17 From Raphael Marichez 2007-03-26 22:06:55 0000 ------- 
Hi Peter, can you provide a new ebuild with these patches if you think they are
good, please? unless it's already done... thanks!

------- Comment #18 From Peter Volkov 2007-04-22 09:49:08 0000 ------- 
This is fixed in >=evolution-2.8.3-r2 which should be stabilized together with
gnome-2.16.3.

------- Comment #19 From Sune Kloppenborg Jeppesen 2007-04-30 09:22:18 0000 ------- 
Awaiting Gnome stabilization on bug #171107

------- Comment #20 From Mart Raudsepp 2007-06-02 03:55:35 0000 ------- 
evolution-2.8.3-r2 is stable on all supported arches.

------- Comment #21 From Raphael Marichez 2007-06-07 21:54:49 0000 ------- 
fixed by GLSA 200706-02 with the code exec vulnerability (CVE-2007-1002) ,
thanks everybody. Feel free to reopen if you disagree.