Bug 223963 - mail-client/evolution < 2.12-3-r2 iCalendar Buffer Overflow Vulnerabilities (CVE-2008-{1108,1109})
Bug#: 223963 (CVE-2008-1108) Product:  Gentoo Security Version: unspecified Platform: All
OS/Version: Linux Status: RESOLVED Severity: normal Priority: P2
Resolution: FIXED Assigned To: security@gentoo.org Reported By: vorlon@gentoo.org
Component: Vulnerabilities
URL:  http://secunia.com/advisories/30298/
Summary: mail-client/evolution < 2.12-3-r2 iCalendar Buffer Overflow Vulnerabilities (CVE-2008-{1108,1109})
Keywords:  
Status Whiteboard: B2 [glsa]
Opened: 2008-05-28 15:02 0000
Description:   Opened: 2008-05-28 15:02 0000 
This bug is marked confidential, do not disclose any information or commit
anything until the bug has been made public.

Secunia Research reports a vulnerability in evolution (CVE-2008-{1108,1109}).
Preliminary disclosure date is 2008-06-04 10am CET.

The following is an excerpt from the vulnerability report, more details are
available:

Secunia Research has discovered two vulnerabilities in Evolution, which
can be exploited by malicious people to compromise a user's system.

1) A boundary error exists when parsing timezone strings contained
within iCalendar attachments. This can be exploited to overflow a static
buffer via an overly long timezone string.

Successful exploitation allows execution of arbitrary code, but requires
that the ITip Formatter plugin is disabled.

2) A boundary error exists when replying to an iCalendar request while
in calendar view. This can be exploited to cause a heap-based buffer
overflow via an overly long "DESCRIPTION" property string included in an
iCalendar attachment.

Successful exploitation allows execution of arbitrary code, but requires
that the user accepts the iCalendar request and replies to it from the
"Calendars" window.

The vulnerabilities are confirmed in version 2.22.1. Other versions may
also be affected.
[...]
Credits should go to:
Alin Rad Pop, Secunia Research.

------- Comment #1 From Matthias Geerdsen 2008-05-28 15:04:52 0000 ------- 
Created an attachment (id=154593) [details]
patch for CVE-2008-1108 (2.22.1)

------- Comment #2 From Matthias Geerdsen 2008-05-28 15:05:15 0000 ------- 
Created an attachment (id=154595) [details]
patch for CVE-2008-1109 (2.22.1)

------- Comment #3 From Daniel Gryniewicz 2008-05-29 14:08:07 0000 ------- 
2.22.2 and 2.23.2 are vulnerable.

------- Comment #4 From Robert Buchholz 2008-05-31 11:04:11 0000 ------- 
I could also reproduce the issue with our stable 2.12.3. I'll attach the
patches with clean whitespaces, as the ones above do not apply. If you can,
please prepare an ebuild for prestabling.

------- Comment #5 From Robert Buchholz 2008-05-31 11:04:40 0000 ------- 
Created an attachment (id=154927) [details]
evolution-2.12.3-CVE-2008-1108.patch

------- Comment #6 From Robert Buchholz 2008-05-31 11:04:51 0000 ------- 
Created an attachment (id=154929) [details]
evolution-2.12.3-CVE-2008-1109.patch

------- Comment #7 From Gilles Dartiguelongue 2008-05-31 20:40:15 0000 ------- 
Created an attachment (id=154995) [details]
evolution-2.12.3.patch

patch for 2.12.3 ebuild

------- Comment #8 From Gilles Dartiguelongue 2008-05-31 20:42:39 0000 ------- 
Created an attachment (id=154999) [details]
evolution-2.22.2.patch

patch to 2.22.2 ebuild. The first set of patch would need to match the scheme
of the second sed of patch to apply properly.

------- Comment #9 From Robert Buchholz 2008-05-31 23:46:59 0000 ------- 
Arch Security Liaisons, please test the attached ebuild and report it stable on
this bug. Security only cared about the (to come)evolution-2.12.3-r2 ebuild.
Target keywords : "alpha amd64 hppa ia64 ppc ppc64 release sparc x86"

CC'ing current Liaisons:
   alpha : yoswink
   amd64 : welp
    hppa : jer
     ppc : dertobi123
   ppc64 : corsair
 release : pva
   sparc : fmccor
     x86 : opfer

------- Comment #10 From Christian Faulhammer 2008-06-01 09:30:43 0000 ------- 
x86 good to go

------- Comment #11 From Markus Rothe 2008-06-01 10:41:38 0000 ------- 
looks good on ppc64

------- Comment #12 From Jeroen Roovers 2008-06-02 03:26:26 0000 ------- 
HPPA is OK.

------- Comment #13 From Raúl Porcel 2008-06-02 12:46:16 0000 ------- 
Looks okay on alpha/ia64/sparc

------- Comment #14 From Tobias Scherbaum 2008-06-03 19:43:41 0000 ------- 
also looks good on ppc

------- Comment #15 From Peter Weller 2008-06-04 06:24:39 0000 ------- 
Looks good to go on amd64, too

------- Comment #16 From Mart Raudsepp 2008-06-04 07:35:31 0000 ------- 
Is this 10am CET or CEST? :)

------- Comment #17 From Pierre-Yves Rofes 2008-06-04 12:04:07 0000 ------- 
public as per $URL. removing arch liaisons and moving to glsa part. please
commit the ebuild with stable keywords gathered.

------- Comment #18 From Mart Raudsepp 2008-06-04 13:26:19 0000 ------- 
evolution-2.22.2-r1 and evolution-2.12.3-r2 has been committed to portage tree,
with the gathered stable keywords for the latter, which just leaves release@.
CCing them

------- Comment #19 From Peter Volkov 2008-06-05 05:32:01 0000 ------- 
Fixed in release snapshot.

------- Comment #20 From Pierre-Yves Rofes 2008-06-16 20:57:45 0000 ------- 
GLSA 200806-06

------- Comment #21 From Muelli 2008-11-08 21:01:12 0000 ------- 
Is anybody coordinating with upstream?

------- Comment #22 From Robert Buchholz 2008-11-09 10:10:22 0000 ------- 
(In reply to comment #21)
> Is anybody coordinating with upstream?

Can you elaborate?