Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 182011 - gnome-extra/evolution-data-server - Security bug in Camel's IMAP provider (CVE-2007-3257)
Summary: gnome-extra/evolution-data-server - Security bug in Camel's IMAP provider (CV...
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High normal
Assignee: Gentoo Security
URL: http://bugzilla.gnome.org/show_bug.cg...
Whiteboard: B2? [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2007-06-14 09:16 UTC by Peter Volkov (RETIRED)
Modified: 2007-08-25 22:11 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Peter Volkov (RETIRED) gentoo-dev 2007-06-14 09:16:57 UTC
Original bug report: http://bugzilla.gnome.org/show_bug.cgi?id=447414

Just copying description from the upstream bug report:

==================================================
The "SEQUENCE" value in the GData of the IMAP code (camel-imap-folder.c) is
converted from a string using strtol. This allows for negative values.

The imap_rescan uses this value as an int. It checks for !seq and
seq>summary.length. It doesn't check for seq < 0. Although seq is used as the
index of an array.

This means that a negative index number can be fed to the array lookup by
altering the output of an IMAP server.

I'm marking this as a blocker (very very serious) security bug as this is
remotely exploitable (I can put shell code in the UID field of the IMAP code,
and make it execute on the victim's computer, as at the seq'd field of the
index a g_strdup of the UID is written to memory. By carefully calculating the
negative value and overwriting the instruction pointer near the array's start,
I can let it point to that memory and get it to execute).

I first informed the Camel authors about this bug, but they didn't respond
quickly enough (it has been months now). I hereby stop caring about the secrecy
of security bug reports and I do report it now.

This bug affects nearly all versions of Evolutions. It can be fixed by either
checking for seq < 0 or by using strtoul in stead of strtol.
==================================================

Both evolution-data-server-1.8.3-r4 and evolution-data-server-1.10.1-r2 are affected. 1.6.x affected but should be removed from the tree at some point... As soon as patches will be applied upstream, I'll do the same in our ebuilds.
Comment 1 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2007-06-14 15:25:05 UTC
gnome please advise.
Comment 2 Gilles Dartiguelongue (RETIRED) gentoo-dev 2007-06-14 15:32:28 UTC
it has been commited to trunk and stable, I guess we need to patch all our versions of eds and stabilize them asap
Comment 3 Daniel Gryniewicz (RETIRED) gentoo-dev 2007-06-14 17:38:40 UTC
Okay, bumps for e-d-s are in the tree.

Target keywords for 1.6.2-r1: alpha amd64 arm hppa ia64 ppc ppc64 sparc x86

target keywords for 1.8.3-r5: alpha amd64 ~arm hppa ia64 ppc ppc64 sparc x86 ~x86-fbsd
Comment 4 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2007-06-14 17:47:37 UTC
Thanks Daniel.

Arches please test and mark stable.
Comment 5 Gustavo Zacarias (RETIRED) gentoo-dev 2007-06-14 19:37:16 UTC
sparc stable.
Comment 6 Tobias Scherbaum (RETIRED) gentoo-dev 2007-06-14 19:40:50 UTC
ppc stable
Comment 7 Daniel Gryniewicz (RETIRED) gentoo-dev 2007-06-14 20:12:23 UTC
amd64 done.  (yay for having tested during the bump)
Comment 8 Brent Baude (RETIRED) gentoo-dev 2007-06-14 21:01:46 UTC
ppc64 done
Comment 9 Christian Faulhammer (RETIRED) gentoo-dev 2007-06-14 22:29:27 UTC
x86 stable
Comment 10 Raúl Porcel (RETIRED) gentoo-dev 2007-06-15 10:57:54 UTC
alpha/ia64 stable
Comment 11 Jeroen Roovers (RETIRED) gentoo-dev 2007-06-16 17:24:51 UTC
Stable for HPPA.
Comment 12 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2007-07-05 23:10:56 UTC
GLSA 200707-03