Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 262555 (CVE-2009-0587) - <gnome-extra/evolution-data-server-2.24.5 Multiple integer overflows (CVE-2009-0587)
Summary: <gnome-extra/evolution-data-server-2.24.5 Multiple integer overflows (CVE-200...
Status: RESOLVED INVALID
Alias: CVE-2009-0587
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High minor (vote)
Assignee: Gentoo Security
URL: http://ocert.org/patches/2008-015/cam...
Whiteboard: B4 [ebuild]
Keywords:
Depends on:
Blocks: CVE-2009-0582
  Show dependency tree
 
Reported: 2009-03-15 12:17 UTC by Stefan Behte (RETIRED)
Modified: 2009-03-16 23:12 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Stefan Behte (RETIRED) gentoo-dev Security 2009-03-15 12:17:40 UTC
CVE-2009-0587 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-0587):
  Multiple integer overflows in Evolution Data Server (aka
  evolution-data-server) before 2.24.5 allow context-dependent
  attackers to execute arbitrary code via a long string that is
  converted to a base64 representation in (1)
  addressbook/libebook/e-vcard.c in evc or (2) camel/camel-mime-utils.c
  in libcamel.
Comment 2 Gilles Dartiguelongue gentoo-dev 2009-03-16 22:25:40 UTC
I couldn't find any reference to the code in those patches in either 2.22.3-r2 or 2.24.5-r2, am I missing something or is it refering to only 2.24 series that we won't stabilize ?
Comment 3 Robert Buchholz (RETIRED) gentoo-dev 2009-03-16 23:12:20 UTC
The version numbers in the CVE entry (and in the oCert advisory) are misleading. This has been fixed since at least EDS 2.21.1 as can be seen in the changelog entries:

http://svn.gnome.org/viewvc/evolution-data-server/tags/EVOLUTION_DATA_SERVER_2_21_1/addressbook/ChangeLog?revision=8170&view=markup&sortby=rev


67 	2007-09-27 Matthew Barnes <mbarnes@redhat.com>
68 	
69 	** Fixes part of bug #474000
70 	
71 	* tests/ebook/test-photo.c (main):
72 	Use GLib's Base64 API instead of EVCard's.

http://svn.gnome.org/viewvc/evolution-data-server/tags/EVOLUTION_DATA_SERVER_2_21_1/camel/ChangeLog?revision=8170&view=markup&sortby=rev

53 	2007-09-27 Matthew Barnes <mbarnes@redhat.com>
54 	
55 	** Fixes part of bug #474000
56 	
57 	* camel-mime-utils.c:
58 	* camel-mime-utils.h:
59 	Deprecate Camel's Base64 API and make the functions thin wrappers
60 	for GLib's Base64 API.
61 	
62 	* camel-multipart.c (set_boundary):
63 	* camel-vee-folder.c (camel_vee_folder_hash_folder):
64 	* camel-mime-filter-basic.c (complete):
65 	* camel-sasl-digest-md5.c (generate_response):
66 	* camel-http-stream.c (camel_http_stream_set_proxy):
67 	* camel-sasl.c (camel_sasl_challenge_base64):
68 	Use GLib's Base64 API instead of Camel's.