Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 102051 - mail-client/evolution Multiple format string vulnerabilities (CAN-2005-25{49|50})
Summary: mail-client/evolution Multiple format string vulnerabilities (CAN-2005-25{49|...
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Security
URL: http://archives.neohapsis.com/archive...
Whiteboard: B2 [glsa] DerCorny
Keywords:
Depends on:
Blocks:
 
Reported: 2005-08-10 13:06 UTC by Sune Kloppenborg Jeppesen
Modified: 2019-11-03 11:49 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Sune Kloppenborg Jeppesen gentoo-dev 2005-08-10 13:06:52 UTC
* SITIC Vulnerability Advisory *   
   
           Advisory Name: Evolution multiple remote format string bugs   
       Advisory Reference: SA05-001   
  Date of initial release: 2005-08-10   
                  Product: Evolution 1.5, 2.0, 2.1, 2.2, 2.3   
                 Platform: Linux, BSD systems, Unix   
                   Effect: Remote code execution   
 Vulnerability Identifier: Not assigned   
   
Overview:   
   
Evolution suffers from several format string bugs when handling data from   
 remote sources. These bugs lead to crashes or the execution of arbitrary   
 assembly language code.   
   
Details:   
   
1) The first format string bug occurs when viewing the full vCard data   
 attached to an e-mail message.   
   
When opening an e-mail message, only a compact view of some of the fields   
 from the vCard is displayed, and this does not trigger the vulnerability.   
 To be affected, the user must click on Show Full vCard or perform similar   
 actions such as clicking on Save in Addressbook and then viewing the saved   
 data under the Contacts tab.   
   
Why is this important? An attacker might notice that an organisation uses   
 Evolution, for instance after seeing the "X-Mailer: Evolution x.y.z" e-mail   
 header in their e-mails. He or she could then send out e-mail messages with   
 malicious vCards to many e-mail accounts at the organisation, in the hope   
 that some of the recipients will view the full vCard data sooner or later,   
 thus exposing the organisation to this format string bug.   
   
2) The second format string bug occurs when displaying contact data from   
 remote LDAP servers.   
   
3) The third format string bug occurs when displaying task list data from   
 remote servers.   
   
4) The fourth, and least serious, format string bug occurs when the user   
 goes to the Calendars tab to save task list data that is vulnerable to   
 problem 3 above. Other calendar entries that do not come from task lists   
 are also affected.   
   
Mitigating factors:   
   
Users that never use any of the vulnerable features in Evolution are not   
 affected.   
   
Affected versions:   
   
  o Evolution 1.5 to Evolution 2.3.6.1   
   
Recommendations:   
   
We recommend that users either upgrade to Evolution 2.3.7 (unstable) or   
 apply our unofficial patch to their Evolution installation.   
   
Patch information:   
   
Evolution 2.3.7 is available from the following source:   
   
  o http://ftp.gnome.org/pub/gnome/sources/evolution/   
   
Our unofficial patch is available from our home page:   
   
  o http://www.sitic.se   
   
Acknowledgments:   
   
These vulnerabilities were discovered by Ulf Harnhammar for SITIC, Swedish   
 IT Incident Centre.
Comment 1 Thierry Carrez (RETIRED) gentoo-dev 2005-08-12 01:04:30 UTC
obz, liquidx: please bump or apply proposed fix.
Comment 2 Thierry Carrez (RETIRED) gentoo-dev 2005-08-21 08:39:01 UTC
Pulling in the rest of the Gnome herd.
We're late on this one, please bump evolution with proposed patch or advise.
Comment 3 John N. Laliberte (RETIRED) gentoo-dev 2005-08-21 08:45:53 UTC
Heres the link to the patch for reference, its a tad difficult to find on the site.

http://www.sitic.se/eng/advisories_and_recommendations/sa05-001.html
http://www.sitic.se/dokument/evolution.formatstring.patch
Comment 4 John N. Laliberte (RETIRED) gentoo-dev 2005-08-21 12:53:23 UTC
patched, tested patch / compile, committed as:
evolution-2.2.3-r3.ebuild
Comment 5 Stefan Cornelius (RETIRED) gentoo-dev 2005-08-21 12:58:15 UTC
Arches, please test evolution-2.2.3-r3 and mark stable, thanks.
Comment 6 Jason Wever (RETIRED) gentoo-dev 2005-08-21 18:03:49 UTC
Stable on SPARC.
Comment 7 René Nussbaumer (RETIRED) gentoo-dev 2005-08-21 22:53:15 UTC
Stable on hppa
Comment 8 Stefan Cornelius (RETIRED) gentoo-dev 2005-08-22 03:55:41 UTC
This is CAN-2005-2550,
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2550
Comment 9 Ulf Harnhammar 2005-08-22 04:19:08 UTC
No, it's CAN-2005-2549 and CAN-2005-2550.

// Ulf Harnhammar
Comment 10 Stefan Cornelius (RETIRED) gentoo-dev 2005-08-22 04:24:11 UTC
Hui, the VIPs are watching us :)
Thanks for the headsup!
Comment 11 Homer Parker (RETIRED) gentoo-dev 2005-08-22 09:08:26 UTC
Stable on amd64
Comment 12 Fernando J. Pereda (RETIRED) gentoo-dev 2005-08-22 11:31:27 UTC
Stable on the almighty alpha architecture !

Cheers,
Ferdy
Comment 13 Michael Hanselmann (hansmi) (RETIRED) gentoo-dev 2005-08-22 13:20:14 UTC
Stable on ppc.
Comment 14 Stefan Cornelius (RETIRED) gentoo-dev 2005-08-22 14:20:55 UTC
All security covered arches marked stable, should be ready for GLSA
Comment 15 Bryan Østergaard (RETIRED) gentoo-dev 2005-08-22 15:27:45 UTC
Stable on ia64.
Comment 16 Stefan Cornelius (RETIRED) gentoo-dev 2005-08-23 02:48:41 UTC
GLSA 200508-12. Thanks to everbody who helped.