Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 261203 (CVE-2009-0582) - <gnome-extra/evolution-data-server-2.24.5-r2 NTLM SASL authentication memory disclosure flaw (CVE-2009-0582)
Summary: <gnome-extra/evolution-data-server-2.24.5-r2 NTLM SASL authentication memory ...
Status: RESOLVED FIXED
Alias: CVE-2009-0582
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High minor (vote)
Assignee: Gentoo Security
URL: https://bugzilla.redhat.com/show_bug....
Whiteboard: B3 [noglsa]
Keywords:
: 262549 (view as bug list)
Depends on: CVE-2009-0587
Blocks: gnome2.24
  Show dependency tree
 
Reported: 2009-03-04 18:20 UTC by Robert Buchholz (RETIRED)
Modified: 2014-05-31 20:13 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments
evolution-data-server-CVE-2009-0582.patch (evolution-data-server-CVE-2009-0582.patch,4.54 KB, patch)
2009-03-04 18:24 UTC, Robert Buchholz (RETIRED)
no flags Details | Diff
2.24.5 ebuild applying patch (evolution-data-server-2.24.5-r2.ebuild,3.57 KB, text/plain)
2009-03-07 21:20 UTC, Daniel Gryniewicz (RETIRED)
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Robert Buchholz (RETIRED) gentoo-dev 2009-03-04 18:20:37 UTC
** Please note that this issue is confidential and no information should be
disclosed until it is made public, see "Whiteboard" for a date **

On Wednesday 04 March 2009, Tomas Hoger wrote:
camel's NTLM SASL authentication mechanism did not properly validate
server's challenge packets (NTLM authentication type 2 packets, [1]).
In the ntlm_challenge() in camel/camel-sasl-ntlm.c, length of the
domain string that was copied from type 2 to type 3 packet (client's
reply to server's challenge) was not properly validated against the
rest of the data received from the server.

127     ntlm_set_string (ret, NTLM_RESPONSE_DOMAIN_OFFSET,
128              token->data + NTLM_CHALLENGE_DOMAIN_OFFSET,
129              atoi (token->data + NTLM_CHALLENGE_DOMAIN_LEN_OFFSET));

Server could specify larger length than the actual data sent in the
packet, causing the client to disclose portion of its memory, or crash.

Note: length value was not properly extracted from the packet too, as
it is not passed as string, rather as 16-bit LE value.

[1] http://curl.haxx.se/rfc/ntlm.html#theType2Message


Attached is the patch written by Matthew that got some testing against
Exchange 2003 IMAP with NTLM.  If you have other NTLM server
implementations you can easily test this against (such as various
Exchange versions), please do so and report any possible problems.

This issue is tracked as CVE-2009-0582 and we currently do not plan to
make this public before CVE-2008-4316.
Comment 1 Robert Buchholz (RETIRED) gentoo-dev 2009-03-04 18:24:12 UTC
Created attachment 183910 [details, diff]
evolution-data-server-CVE-2009-0582.patch
Comment 2 Daniel Gryniewicz (RETIRED) gentoo-dev 2009-03-07 21:20:26 UTC
Created attachment 184279 [details]
2.24.5 ebuild applying patch

Here is evolution-data-server-2.24.5-r2  that applies the above patch.  I've tested that it doesn't break anything I use (but I don't have access to NTLM S/MIME server authentication).  Note that this is based on 2.24.5-r1 from bug #258867 which was committed today, but is not yet stable.  Any arch that is stabilizing 2.24 from bug #260063 will need to test this.

I can't test 2.22.3 until Monday when I get back to work; I'll post an ebuild for that then.
Comment 3 Robert Buchholz (RETIRED) gentoo-dev 2009-03-08 02:29:46 UTC
Arch Security Liaisons, please test the attached ebuild and report it stable on this bug.
Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 sparc x86"

CC'ing current Liaisons:
   alpha : yoswink, armin76
   amd64 : keytoaster, tester
    hppa : jer
     ppc : dertobi123
   ppc64 : corsair
   sparc : fmccor
     x86 : maekke, armin76
Comment 4 Daniel Gryniewicz (RETIRED) gentoo-dev 2009-03-08 02:39:52 UTC
Assuming you plan to do bug #260063 soon.  If not, you'll have to wait until Monday for a 2.22 version.
Comment 5 Robert Buchholz (RETIRED) gentoo-dev 2009-03-12 16:29:16 UTC
public via URL.
Comment 6 Daniel Gryniewicz (RETIRED) gentoo-dev 2009-03-12 23:30:02 UTC
added evolution-data-server-2.24.5-r2 to the tree, and marked stable for amd64.
Comment 7 Robert Buchholz (RETIRED) gentoo-dev 2009-03-13 21:18:53 UTC
Arches, please test and mark stable:
=gnome-extra/evolution-data-server-2.24.5-r2
Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 sparc x86"
Already stabled : "amd64"
Missing keywords: "alpha arm hppa ia64 ppc ppc64 sparc x86"
Comment 8 Stefan Behte (RETIRED) gentoo-dev Security 2009-03-15 11:40:14 UTC
*** Bug 262549 has been marked as a duplicate of this bug. ***
Comment 9 Brent Baude (RETIRED) gentoo-dev 2009-03-15 12:57:58 UTC
ppc64 done
Comment 10 Markus Meier gentoo-dev 2009-03-15 22:26:22 UTC
x86 stable
Comment 11 Brent Baude (RETIRED) gentoo-dev 2009-03-18 21:40:21 UTC
ppc done
Comment 12 Raúl Porcel (RETIRED) gentoo-dev 2009-03-20 15:25:06 UTC
alpha/ia64 stable
Comment 13 Friedrich Oslage (RETIRED) gentoo-dev 2009-04-12 19:45:18 UTC
sparc stable
Comment 14 Pierre-Yves Rofes (RETIRED) gentoo-dev 2009-04-19 20:39:11 UTC
Re-rating B3, it's either a Dos or memory disclosure, no code execution here.
Hppa, any problem here?
Comment 15 Raúl Porcel (RETIRED) gentoo-dev 2009-04-27 11:54:16 UTC
arm stable
Comment 16 Jeroen Roovers gentoo-dev 2009-04-27 16:50:53 UTC
Stable for HPPA (filed under bug #260063).
Comment 17 Tobias Heinlein (RETIRED) gentoo-dev 2009-05-03 18:57:09 UTC
Ready for vote, I vote YES.
Comment 18 Robert Buchholz (RETIRED) gentoo-dev 2009-07-10 10:43:17 UTC
YES, request filed
Comment 19 Gilles Dartiguelongue gentoo-dev 2010-01-24 22:34:24 UTC
ping ? all of gnome 2.24 is going away soon.
Comment 20 Sean Amoss gentoo-dev Security 2014-05-31 20:13:05 UTC
This issue has been fixed since Apr 27, 2009. No GLSA will be issued.