** Please note that this issue is confidential and no information should be disclosed until it is made public, see "Whiteboard" for a date ** On Wednesday 04 March 2009, Tomas Hoger wrote: camel's NTLM SASL authentication mechanism did not properly validate server's challenge packets (NTLM authentication type 2 packets, [1]). In the ntlm_challenge() in camel/camel-sasl-ntlm.c, length of the domain string that was copied from type 2 to type 3 packet (client's reply to server's challenge) was not properly validated against the rest of the data received from the server. 127 ntlm_set_string (ret, NTLM_RESPONSE_DOMAIN_OFFSET, 128 token->data + NTLM_CHALLENGE_DOMAIN_OFFSET, 129 atoi (token->data + NTLM_CHALLENGE_DOMAIN_LEN_OFFSET)); Server could specify larger length than the actual data sent in the packet, causing the client to disclose portion of its memory, or crash. Note: length value was not properly extracted from the packet too, as it is not passed as string, rather as 16-bit LE value. [1] http://curl.haxx.se/rfc/ntlm.html#theType2Message Attached is the patch written by Matthew that got some testing against Exchange 2003 IMAP with NTLM. If you have other NTLM server implementations you can easily test this against (such as various Exchange versions), please do so and report any possible problems. This issue is tracked as CVE-2009-0582 and we currently do not plan to make this public before CVE-2008-4316.
Created attachment 183910 [details, diff] evolution-data-server-CVE-2009-0582.patch
Created attachment 184279 [details] 2.24.5 ebuild applying patch Here is evolution-data-server-2.24.5-r2 that applies the above patch. I've tested that it doesn't break anything I use (but I don't have access to NTLM S/MIME server authentication). Note that this is based on 2.24.5-r1 from bug #258867 which was committed today, but is not yet stable. Any arch that is stabilizing 2.24 from bug #260063 will need to test this. I can't test 2.22.3 until Monday when I get back to work; I'll post an ebuild for that then.
Arch Security Liaisons, please test the attached ebuild and report it stable on this bug. Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 sparc x86" CC'ing current Liaisons: alpha : yoswink, armin76 amd64 : keytoaster, tester hppa : jer ppc : dertobi123 ppc64 : corsair sparc : fmccor x86 : maekke, armin76
Assuming you plan to do bug #260063 soon. If not, you'll have to wait until Monday for a 2.22 version.
public via URL.
added evolution-data-server-2.24.5-r2 to the tree, and marked stable for amd64.
Arches, please test and mark stable: =gnome-extra/evolution-data-server-2.24.5-r2 Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 sparc x86" Already stabled : "amd64" Missing keywords: "alpha arm hppa ia64 ppc ppc64 sparc x86"
*** Bug 262549 has been marked as a duplicate of this bug. ***
ppc64 done
x86 stable
ppc done
alpha/ia64 stable
sparc stable
Re-rating B3, it's either a Dos or memory disclosure, no code execution here. Hppa, any problem here?
arm stable
Stable for HPPA (filed under bug #260063).
Ready for vote, I vote YES.
YES, request filed
ping ? all of gnome 2.24 is going away soon.
This issue has been fixed since Apr 27, 2009. No GLSA will be issued.
