Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 212272 - mail-client/evolution <2.12.3-r1 Encrypted Message Version Format String Vulnerability (CVE-2008-0072)
Summary: mail-client/evolution <2.12.3-r1 Encrypted Message Version Format String Vuln...
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High major (vote)
Assignee: Gentoo Security
URL: http://secunia.com/advisories/29057/
Whiteboard: A2 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2008-03-04 12:57 UTC by Robert Buchholz (RETIRED)
Modified: 2008-03-06 10:14 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments
evolution-CVE-2008-0072.diff (evolution-CVE-2008-0072.diff,2.45 KB, patch)
2008-03-04 13:00 UTC, Robert Buchholz (RETIRED)
no flags Details | Diff
evolution-2.12.3-r1.ebuild (evolution-2.12.3-r1.ebuild,5.74 KB, text/plain)
2008-03-04 15:11 UTC, Gilles Dartiguelongue
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Robert Buchholz (RETIRED) gentoo-dev 2008-03-04 12:57:58 UTC
Secunia reports:

A format string error in the "emf_multipart_encrypted()" function in
mail/em-format.c when displaying the "Version:" field from an encrypted
e-mail message can be exploited to execute arbitrary code via a
specially crafted e-mail message.

Successful exploitation requires that the user opens a malicious e-mail
message.
...
We have assigned this vulnerability Secunia advisory SA29057 and the CVE
identifier CVE-2008-0072.

Credits should go to:
Ulf Harnhammar, Secunia Research.
Comment 1 Robert Buchholz (RETIRED) gentoo-dev 2008-03-04 12:59:37 UTC
Daniel, Gilles, this issue is under embargo until 2008-03-19 10am CET. Do not commit anything to CVS until this date. Please prepare an updated ebuild and attach it to this bug, we will do prestable testing here. Thanks.
Comment 2 Robert Buchholz (RETIRED) gentoo-dev 2008-03-04 13:00:38 UTC
Created attachment 145259 [details, diff]
evolution-CVE-2008-0072.diff

Upstream patch
Comment 3 Robert Buchholz (RETIRED) gentoo-dev 2008-03-04 13:18:26 UTC
Embargo date was *advanced* to be tomorrow.
Comment 4 Gilles Dartiguelongue gentoo-dev 2008-03-04 15:11:55 UTC
Created attachment 145266 [details]
evolution-2.12.3-r1.ebuild

full ebuild as asked by rbu.
Comment 5 Robert Buchholz (RETIRED) gentoo-dev 2008-03-04 15:16:02 UTC
Arch Security Liaisons, please test the attached ebuild and report it stable on this bug. Please note that this issue will be public tomorrow morning. Thanks.

Target keywords : "alpha amd64 hppa ia64 ppc ppc64 release sparc x86"

CC'ing current Liaisons:
   alpha : ferdy
   amd64 : welp
    hppa : jer
     ppc : dertobi123
   ppc64 : corsair
 release : pva
   sparc : fmccor
     x86 : opfer
Comment 6 Jeroen Roovers gentoo-dev 2008-03-04 17:24:03 UTC
As for HPPA: for reasons evolution takes around 3 hours to build on a 625MHz PA8700 (C3650)[1] and the build is not nearly halfway through. I'll be off to work before it finishes, so you can expect me to report back with some test results in about 9 hours from now (and no sooner).

[1] I am currently building mail-client/evolution on a comparable Pentium III at 833MHz to see if the HPPA build time is indeed overly long.
Comment 7 Christian Faulhammer (RETIRED) gentoo-dev 2008-03-04 20:09:54 UTC
Calendar and Tasks:
 * import of big ICS...check
 * import of tasks...check
 * modifying tasks and events...check

Mail:
 * IMAP...check
 * SMTP...check
 * POP3...check

Good to go on x86
Comment 8 Raúl Porcel (RETIRED) gentoo-dev 2008-03-04 21:38:16 UTC
Looks fine on alpha/ia64/sparc
Comment 9 Robert Buchholz (RETIRED) gentoo-dev 2008-03-05 01:13:23 UTC
Looks good on amd64.
Comment 10 Robert Buchholz (RETIRED) gentoo-dev 2008-03-05 01:14:34 UTC
jer, it compiles a while on my core2 too, no worries.
Comment 11 Brent Baude (RETIRED) gentoo-dev 2008-03-05 02:09:24 UTC
was cool for ppc64 here too
Comment 12 Jeroen Roovers gentoo-dev 2008-03-05 04:05:18 UTC
(In reply to comment #10)
> jer, it compiles a while on my core2 too, no worries.

Takes ~2 hours on the Pentium III, so I guess that's normal.

Anyway, it appears to be good for HPPA.
Comment 13 Mart Raudsepp gentoo-dev 2008-03-05 09:04:36 UTC
Committed ebuild at 10:05am CET. Patch extension renamed from diff to patch to be the same as every new GNOME packages patch and explanation added on top of the patch as I like to do for future easy seeing what a given patch is for. Tested to work good on amd64 as well.

+*evolution-2.12.3-r1 (05 Mar 2008)
+
+  05 Mar 2008; Mart Raudsepp <leio@gentoo.org>
+  +files/evolution-CVE-2008-0072.patch, +evolution-2.12.3-r1.ebuild:
+  Security fix for "Encrypted Message Version Format String Vulnerability".
+  Stable on alpha, amd64, hppa, ia64, ppc64, sparc and x86
+
Comment 14 Robert Buchholz (RETIRED) gentoo-dev 2008-03-05 10:05:49 UTC
Thank you guys for the fast work.


Target keywords : "alpha amd64 hppa ia64 ppc ppc64 release sparc x86"
Already stabled : "alpha amd64 hppa ia64 ppc64 sparc x86"
Missing keywords: "ppc release"

Comment 15 Tobias Scherbaum (RETIRED) gentoo-dev 2008-03-05 19:29:52 UTC
ppc stable, ready for glsa
Comment 16 Robert Buchholz (RETIRED) gentoo-dev 2008-03-05 20:09:34 UTC
request filed
Comment 17 Pierre-Yves Rofes (RETIRED) gentoo-dev 2008-03-05 22:30:51 UTC
GLSA 200803-12
Comment 18 Peter Volkov (RETIRED) gentoo-dev 2008-03-06 10:14:49 UTC
Fixed in release snapshot.