This bug is marked confidential, do not disclose any information or commit anything until the bug has been made public. Secunia Research reports a vulnerability in evolution (CVE-2008-{1108,1109}). Preliminary disclosure date is 2008-06-04 10am CET. The following is an excerpt from the vulnerability report, more details are available: Secunia Research has discovered two vulnerabilities in Evolution, which can be exploited by malicious people to compromise a user's system. 1) A boundary error exists when parsing timezone strings contained within iCalendar attachments. This can be exploited to overflow a static buffer via an overly long timezone string. Successful exploitation allows execution of arbitrary code, but requires that the ITip Formatter plugin is disabled. 2) A boundary error exists when replying to an iCalendar request while in calendar view. This can be exploited to cause a heap-based buffer overflow via an overly long "DESCRIPTION" property string included in an iCalendar attachment. Successful exploitation allows execution of arbitrary code, but requires that the user accepts the iCalendar request and replies to it from the "Calendars" window. The vulnerabilities are confirmed in version 2.22.1. Other versions may also be affected. [...] Credits should go to: Alin Rad Pop, Secunia Research.
Created attachment 154593 [details, diff] patch for CVE-2008-1108 (2.22.1)
Created attachment 154595 [details, diff] patch for CVE-2008-1109 (2.22.1)
2.22.2 and 2.23.2 are vulnerable.
I could also reproduce the issue with our stable 2.12.3. I'll attach the patches with clean whitespaces, as the ones above do not apply. If you can, please prepare an ebuild for prestabling.
Created attachment 154927 [details] evolution-2.12.3-CVE-2008-1108.patch
Created attachment 154929 [details] evolution-2.12.3-CVE-2008-1109.patch
Created attachment 154995 [details, diff] evolution-2.12.3.patch patch for 2.12.3 ebuild
Created attachment 154999 [details, diff] evolution-2.22.2.patch patch to 2.22.2 ebuild. The first set of patch would need to match the scheme of the second sed of patch to apply properly.
Arch Security Liaisons, please test the attached ebuild and report it stable on this bug. Security only cared about the (to come)evolution-2.12.3-r2 ebuild. Target keywords : "alpha amd64 hppa ia64 ppc ppc64 release sparc x86" CC'ing current Liaisons: alpha : yoswink amd64 : welp hppa : jer ppc : dertobi123 ppc64 : corsair release : pva sparc : fmccor x86 : opfer
x86 good to go
looks good on ppc64
HPPA is OK.
Looks okay on alpha/ia64/sparc
also looks good on ppc
Looks good to go on amd64, too
Is this 10am CET or CEST? :)
public as per $URL. removing arch liaisons and moving to glsa part. please commit the ebuild with stable keywords gathered.
evolution-2.22.2-r1 and evolution-2.12.3-r2 has been committed to portage tree, with the gathered stable keywords for the latter, which just leaves release@. CCing them
Fixed in release snapshot.
GLSA 200806-06
Is anybody coordinating with upstream?
(In reply to comment #21) > Is anybody coordinating with upstream? Can you elaborate?