Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 223963 (CVE-2008-1108)

Summary: mail-client/evolution < 2.12-3-r2 iCalendar Buffer Overflow Vulnerabilities (CVE-2008-{1108,1109})
Product: Gentoo Security Reporter: Matthias Geerdsen (RETIRED) <vorlon>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: gnome
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://secunia.com/advisories/30298/
Whiteboard: B2 [glsa]
Package list:
Runtime testing required: ---
Attachments:
Description Flags
patch for CVE-2008-1108 (2.22.1)
none
patch for CVE-2008-1109 (2.22.1)
none
evolution-2.12.3-CVE-2008-1108.patch
none
evolution-2.12.3-CVE-2008-1109.patch
none
evolution-2.12.3.patch
none
evolution-2.22.2.patch none

Description Matthias Geerdsen (RETIRED) gentoo-dev 2008-05-28 15:02:15 UTC
This bug is marked confidential, do not disclose any information or commit anything until the bug has been made public.

Secunia Research reports a vulnerability in evolution (CVE-2008-{1108,1109}).
Preliminary disclosure date is 2008-06-04 10am CET.

The following is an excerpt from the vulnerability report, more details are
available:

Secunia Research has discovered two vulnerabilities in Evolution, which
can be exploited by malicious people to compromise a user's system.

1) A boundary error exists when parsing timezone strings contained
within iCalendar attachments. This can be exploited to overflow a static
buffer via an overly long timezone string.

Successful exploitation allows execution of arbitrary code, but requires
that the ITip Formatter plugin is disabled.

2) A boundary error exists when replying to an iCalendar request while
in calendar view. This can be exploited to cause a heap-based buffer
overflow via an overly long "DESCRIPTION" property string included in an
iCalendar attachment.

Successful exploitation allows execution of arbitrary code, but requires
that the user accepts the iCalendar request and replies to it from the
"Calendars" window.

The vulnerabilities are confirmed in version 2.22.1. Other versions may
also be affected.
[...]
Credits should go to:
Alin Rad Pop, Secunia Research.
Comment 1 Matthias Geerdsen (RETIRED) gentoo-dev 2008-05-28 15:04:52 UTC
Created attachment 154593 [details, diff]
patch for CVE-2008-1108 (2.22.1)
Comment 2 Matthias Geerdsen (RETIRED) gentoo-dev 2008-05-28 15:05:15 UTC
Created attachment 154595 [details, diff]
patch for CVE-2008-1109 (2.22.1)
Comment 3 Daniel Gryniewicz (RETIRED) gentoo-dev 2008-05-29 14:08:07 UTC
2.22.2 and 2.23.2 are vulnerable.
Comment 4 Robert Buchholz (RETIRED) gentoo-dev 2008-05-31 11:04:11 UTC
I could also reproduce the issue with our stable 2.12.3. I'll attach the patches with clean whitespaces, as the ones above do not apply. If you can, please prepare an ebuild for prestabling.
Comment 5 Robert Buchholz (RETIRED) gentoo-dev 2008-05-31 11:04:40 UTC
Created attachment 154927 [details]
evolution-2.12.3-CVE-2008-1108.patch
Comment 6 Robert Buchholz (RETIRED) gentoo-dev 2008-05-31 11:04:51 UTC
Created attachment 154929 [details]
evolution-2.12.3-CVE-2008-1109.patch
Comment 7 Gilles Dartiguelongue (RETIRED) gentoo-dev 2008-05-31 20:40:15 UTC
Created attachment 154995 [details, diff]
evolution-2.12.3.patch

patch for 2.12.3 ebuild
Comment 8 Gilles Dartiguelongue (RETIRED) gentoo-dev 2008-05-31 20:42:39 UTC
Created attachment 154999 [details, diff]
evolution-2.22.2.patch

patch to 2.22.2 ebuild. The first set of patch would need to match the scheme of the second sed of patch to apply properly.
Comment 9 Robert Buchholz (RETIRED) gentoo-dev 2008-05-31 23:46:59 UTC
Arch Security Liaisons, please test the attached ebuild and report it stable on this bug. Security only cared about the (to come)evolution-2.12.3-r2 ebuild.
Target keywords : "alpha amd64 hppa ia64 ppc ppc64 release sparc x86"

CC'ing current Liaisons:
   alpha : yoswink
   amd64 : welp
    hppa : jer
     ppc : dertobi123
   ppc64 : corsair
 release : pva
   sparc : fmccor
     x86 : opfer
Comment 10 Christian Faulhammer (RETIRED) gentoo-dev 2008-06-01 09:30:43 UTC
x86 good to go
Comment 11 Markus Rothe (RETIRED) gentoo-dev 2008-06-01 10:41:38 UTC
looks good on ppc64
Comment 12 Jeroen Roovers (RETIRED) gentoo-dev 2008-06-02 03:26:26 UTC
HPPA is OK.
Comment 13 Raúl Porcel (RETIRED) gentoo-dev 2008-06-02 12:46:16 UTC
Looks okay on alpha/ia64/sparc
Comment 14 Tobias Scherbaum (RETIRED) gentoo-dev 2008-06-03 19:43:41 UTC
also looks good on ppc
Comment 15 Peter Weller (RETIRED) gentoo-dev 2008-06-04 06:24:39 UTC
Looks good to go on amd64, too
Comment 16 Mart Raudsepp gentoo-dev 2008-06-04 07:35:31 UTC
Is this 10am CET or CEST? :)
Comment 17 Pierre-Yves Rofes (RETIRED) gentoo-dev 2008-06-04 12:04:07 UTC
public as per $URL. removing arch liaisons and moving to glsa part. please commit the ebuild with stable keywords gathered.
Comment 18 Mart Raudsepp gentoo-dev 2008-06-04 13:26:19 UTC
evolution-2.22.2-r1 and evolution-2.12.3-r2 has been committed to portage tree, with the gathered stable keywords for the latter, which just leaves release@. CCing them
Comment 19 Peter Volkov (RETIRED) gentoo-dev 2008-06-05 05:32:01 UTC
Fixed in release snapshot.
Comment 20 Pierre-Yves Rofes (RETIRED) gentoo-dev 2008-06-16 20:57:45 UTC
GLSA 200806-06
Comment 21 Muelli 2008-11-08 21:01:12 UTC
Is anybody coordinating with upstream?
Comment 22 Robert Buchholz (RETIRED) gentoo-dev 2008-11-09 10:10:22 UTC
(In reply to comment #21)
> Is anybody coordinating with upstream?

Can you elaborate?