Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 212272

Summary: mail-client/evolution <2.12.3-r1 Encrypted Message Version Format String Vulnerability (CVE-2008-0072)
Product: Gentoo Security Reporter: Robert Buchholz (RETIRED) <rbu>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: major CC: gnome
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://secunia.com/advisories/29057/
Whiteboard: A2 [glsa]
Package list:
Runtime testing required: ---
Attachments:
Description Flags
evolution-CVE-2008-0072.diff
none
evolution-2.12.3-r1.ebuild none

Description Robert Buchholz (RETIRED) gentoo-dev 2008-03-04 12:57:58 UTC 
Secunia reports:

A format string error in the "emf_multipart_encrypted()" function in
mail/em-format.c when displaying the "Version:" field from an encrypted
e-mail message can be exploited to execute arbitrary code via a
specially crafted e-mail message.

Successful exploitation requires that the user opens a malicious e-mail
message.
...
We have assigned this vulnerability Secunia advisory SA29057 and the CVE
identifier CVE-2008-0072.

Credits should go to:
Ulf Harnhammar, Secunia Research.
Comment 1 Robert Buchholz (RETIRED) gentoo-dev 2008-03-04 12:59:37 UTC 
Daniel, Gilles, this issue is under embargo until 2008-03-19 10am CET. Do not commit anything to CVS until this date. Please prepare an updated ebuild and attach it to this bug, we will do prestable testing here. Thanks.
Comment 2 Robert Buchholz (RETIRED) gentoo-dev 2008-03-04 13:00:38 UTC 
Created attachment 145259 [details, diff]
evolution-CVE-2008-0072.diff

Upstream patch
Comment 3 Robert Buchholz (RETIRED) gentoo-dev 2008-03-04 13:18:26 UTC 
Embargo date was *advanced* to be tomorrow.
Comment 4 Gilles Dartiguelongue (RETIRED) gentoo-dev 2008-03-04 15:11:55 UTC 
Created attachment 145266 [details]
evolution-2.12.3-r1.ebuild

full ebuild as asked by rbu.
Comment 5 Robert Buchholz (RETIRED) gentoo-dev 2008-03-04 15:16:02 UTC 
Arch Security Liaisons, please test the attached ebuild and report it stable on this bug. Please note that this issue will be public tomorrow morning. Thanks.

Target keywords : "alpha amd64 hppa ia64 ppc ppc64 release sparc x86"

CC'ing current Liaisons:
   alpha : ferdy
   amd64 : welp
    hppa : jer
     ppc : dertobi123
   ppc64 : corsair
 release : pva
   sparc : fmccor
     x86 : opfer
Comment 6 Jeroen Roovers (RETIRED) gentoo-dev 2008-03-04 17:24:03 UTC 
As for HPPA: for reasons evolution takes around 3 hours to build on a 625MHz PA8700 (C3650)[1] and the build is not nearly halfway through. I'll be off to work before it finishes, so you can expect me to report back with some test results in about 9 hours from now (and no sooner).

[1] I am currently building mail-client/evolution on a comparable Pentium III at 833MHz to see if the HPPA build time is indeed overly long.
Comment 7 Christian Faulhammer (RETIRED) gentoo-dev 2008-03-04 20:09:54 UTC 
Calendar and Tasks:
 * import of big ICS...check
 * import of tasks...check
 * modifying tasks and events...check

Mail:
 * IMAP...check
 * SMTP...check
 * POP3...check

Good to go on x86
Comment 8 Raúl Porcel (RETIRED) gentoo-dev 2008-03-04 21:38:16 UTC 
Looks fine on alpha/ia64/sparc
Comment 9 Robert Buchholz (RETIRED) gentoo-dev 2008-03-05 01:13:23 UTC 
Looks good on amd64.
Comment 10 Robert Buchholz (RETIRED) gentoo-dev 2008-03-05 01:14:34 UTC 
jer, it compiles a while on my core2 too, no worries.
Comment 11 Brent Baude (RETIRED) gentoo-dev 2008-03-05 02:09:24 UTC 
was cool for ppc64 here too
Comment 12 Jeroen Roovers (RETIRED) gentoo-dev 2008-03-05 04:05:18 UTC 
(In reply to comment #10)
> jer, it compiles a while on my core2 too, no worries.

Takes ~2 hours on the Pentium III, so I guess that's normal.

Anyway, it appears to be good for HPPA.
Comment 13 Mart Raudsepp gentoo-dev 2008-03-05 09:04:36 UTC 
Committed ebuild at 10:05am CET. Patch extension renamed from diff to patch to be the same as every new GNOME packages patch and explanation added on top of the patch as I like to do for future easy seeing what a given patch is for. Tested to work good on amd64 as well.

+*evolution-2.12.3-r1 (05 Mar 2008)
+
+  05 Mar 2008; Mart Raudsepp <leio@gentoo.org>
+  +files/evolution-CVE-2008-0072.patch, +evolution-2.12.3-r1.ebuild:
+  Security fix for "Encrypted Message Version Format String Vulnerability".
+  Stable on alpha, amd64, hppa, ia64, ppc64, sparc and x86
+
Comment 14 Robert Buchholz (RETIRED) gentoo-dev 2008-03-05 10:05:49 UTC 
Thank you guys for the fast work.


Target keywords : "alpha amd64 hppa ia64 ppc ppc64 release sparc x86"
Already stabled : "alpha amd64 hppa ia64 ppc64 sparc x86"
Missing keywords: "ppc release"
Comment 15 Tobias Scherbaum (RETIRED) gentoo-dev 2008-03-05 19:29:52 UTC 
ppc stable, ready for glsa
Comment 16 Robert Buchholz (RETIRED) gentoo-dev 2008-03-05 20:09:34 UTC 
request filed
Comment 17 Pierre-Yves Rofes (RETIRED) gentoo-dev 2008-03-05 22:30:51 UTC 
GLSA 200803-12
Comment 18 Peter Volkov (RETIRED) gentoo-dev 2008-03-06 10:14:49 UTC 
Fixed in release snapshot.