evolution: Multiple format string vulnerabilities in Evolution

Bug #19920 reported by Debian Bug Importer
8
Affects Status Importance Assigned to Milestone
evolution (Debian)
Fix Released
Unknown
evolution (Ubuntu)
Fix Released
High
Sebastien Bacher

Bug Description

Automatically imported from Debian bug report #322535 http://bugs.debian.org/322535

CVE References

Revision history for this message
In , Ulf Harnhammar (metaur) wrote : Patch

If you don't want to upgrade to 2.3.7, which is unstable, you
can use our unofficial patch:

  o http://www.sitic.se/dokument/evolution.formatstring.patch

// Ulf

Revision history for this message
Debian Bug Importer (debzilla) wrote :

Automatically imported from Debian bug report #322535 http://bugs.debian.org/322535

Revision history for this message
Martin Pitt (pitti) wrote :

Already fixed in Ubuntu.

Revision history for this message
In , Neil McGovern (neilm) wrote : NMU

Hi there,

Can you please update the package.
If there's no reply by Friday, I'll prepare an NMU.

Many thanks,
Neil McGovern
--
   __
 .Ž `. <email address hidden> | Application Manager
 : :' ! ---------------- | Secure-Testing Team member
 `. `Ž gpg: B345BDD3 | Webapps Team member
   `- Please don't cc, I'm subscribed to the list

Revision history for this message
In , Takuo KITAME (kitame) wrote : Re: [Evolution] Bug#322535: NMU

2005-08-22 (月) の 22:24 +0100 に Neil McGovern さんは書きました:
> Hi there,
>
> Can you please update the package.
> If there's no reply by Friday, I'll prepare an NMU.
>
> Many thanks,
> Neil McGovern

It seems no upstream release for 2.2.x (stable).
Please wait.

--
Takuo KITAME

Revision history for this message
In , Neil McGovern (neilm) wrote :

Hi there,

Although there's no new upstream stable, there's a nice patch that would
fix this security bug. See earlier in the thread.

Could you please apply this?

Cheers,
Neil
--
   __
 .Ž `. <email address hidden> | Application Manager
 : :' ! ---------------- | Secure-Testing Team member
 `. `Ž gpg: B345BDD3 | Webapps Team member
   `- Please don't cc, I'm subscribed to the list

Revision history for this message
In , Adam D. Barratt (debian-bts-adam-barratt) wrote : #322535 appears to be fixed

Version: 2.2.3-3

Hi,

It looks like this was fixed in the evolution 2.2.3-3 packages uploaded
on Thursday, but not closed due to a typo in the changelog:

evolution (2.2.3-3) unstable; urgency=high

   * security fix. (closes: Bug#32253)
     - Multiple exploitable format string vulnerabilities
       Applied unofficial security fix patch from
       http://www.sitic.se/dokument/evolution.formatstring.patch

 -- Takuo KITAME <email address hidden> Thu, 25 Aug 2005 14:58:34 +0900

Closing now.

Regards,

Adam

Revision history for this message
Debian Bug Importer (debzilla) wrote :

Message-Id: <email address hidden>
Date: Thu, 11 Aug 2005 11:25:46 +0200
From: Moritz Muehlenhoff <email address hidden>
To: Debian Bug Tracking System <email address hidden>
Subject: evolution: Multiple format string vulnerabilities in Evolution

Package: evolution
Severity: grave
Tags: security

Multiple exploitable format string vulnerabilities have been found in
Evolution. Please see
http://www.securityfocus.com/archive/1/407789/30/0/threaded
for details. 2.3.7 fixes all these issues.

Cheers,
        Moritz

-- System Information:
Debian Release: testing/unstable
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: i386 (i686)
Shell: /bin/sh linked to /bin/bash
Kernel: Linux 2.6.12-rc5
Locale: LANG=C, LC_CTYPE=de_DE.ISO-8859-15@euro (charmap=ISO-8859-15)

Revision history for this message
Debian Bug Importer (debzilla) wrote :

Message-ID: <email address hidden>
Date: Sat, 13 Aug 2005 12:47:45 +0200
From: Ulf Harnhammar <email address hidden>
To: <email address hidden>
Subject: Patch

If you don't want to upgrade to 2.3.7, which is unstable, you
can use our unofficial patch:

  o http://www.sitic.se/dokument/evolution.formatstring.patch

// Ulf

Revision history for this message
Debian Bug Importer (debzilla) wrote :

Message-ID: <email address hidden>
Date: Mon, 22 Aug 2005 22:24:16 +0100
From: Neil McGovern <email address hidden>
To: <email address hidden>
Subject: NMU

--/JIF1IJL1ITjxcV4
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

Hi there,

Can you please update the package.
If there's no reply by Friday, I'll prepare an NMU.

Many thanks,
Neil McGovern
--=20
   __ =20
 .=C5=BD `. <email address hidden> | Application Manager
 : :' ! ---------------- | Secure-Testing Team member
 `. `=C5=BD gpg: B345BDD3 | Webapps Team member
   `- Please don't cc, I'm subscribed to the list

--/JIF1IJL1ITjxcV4
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFDCkKA97LBwbNFvdMRArB6AJ0bit6XBExBMmVKpDV2VN0CFPmQ6QCfXUi5
eELzuYKIHgLfTY/9PjdkDQQ=
=YVfb
-----END PGP SIGNATURE-----

--/JIF1IJL1ITjxcV4--

Revision history for this message
Debian Bug Importer (debzilla) wrote :

Message-Id: <email address hidden>
Date: Thu, 25 Aug 2005 10:37:48 +0900
From: Takuo KITAME <email address hidden>
To: <email address hidden>, Neil McGovern <email address hidden>
Subject: Re: [Evolution] Bug#322535: NMU

2005-08-22 ($B7n(B) $B$N(B 22:24 +0100 $B$K(B Neil McGovern $B$5$s$O=q$-$^$7$?(B:
> Hi there,
>
> Can you please update the package.
> If there's no reply by Friday, I'll prepare an NMU.
>
> Many thanks,
> Neil McGovern

It seems no upstream release for 2.2.x (stable).
Please wait.

--
Takuo KITAME

Revision history for this message
Debian Bug Importer (debzilla) wrote :

Message-ID: <email address hidden>
Date: Fri, 26 Aug 2005 21:23:31 +0100
From: Neil McGovern <email address hidden>
To: <email address hidden>
Subject: Re: [Evolution] Bug#322535: NMU

--UlVJffcvxoiEqYs2
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

Hi there,

Although there's no new upstream stable, there's a nice patch that would
fix this security bug. See earlier in the thread.

Could you please apply this?

Cheers,
Neil
--=20
   __ =20
 .=C5=BD `. <email address hidden> | Application Manager
 : :' ! ---------------- | Secure-Testing Team member
 `. `=C5=BD gpg: B345BDD3 | Webapps Team member
   `- Please don't cc, I'm subscribed to the list

--UlVJffcvxoiEqYs2
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFDD3pD97LBwbNFvdMRAgmhAJ9qnl+luXot6sWqjHH7tamxPFV8fACeOm0E
hl0t7Dk2ZTUlf9DCv+bGlpw=
=WP7+
-----END PGP SIGNATURE-----

--UlVJffcvxoiEqYs2--

Revision history for this message
Debian Bug Importer (debzilla) wrote :

Message-Id: <email address hidden>
Date: Sat, 27 Aug 2005 18:41:57 +0100
From: "Adam D. Barratt" <email address hidden>
To: <email address hidden>, <email address hidden>
Cc: <email address hidden>
Subject: #322535 appears to be fixed

Version: 2.2.3-3

Hi,

It looks like this was fixed in the evolution 2.2.3-3 packages uploaded
on Thursday, but not closed due to a typo in the changelog:

evolution (2.2.3-3) unstable; urgency=high

   * security fix. (closes: Bug#32253)
     - Multiple exploitable format string vulnerabilities
       Applied unofficial security fix patch from
       http://www.sitic.se/dokument/evolution.formatstring.patch

 -- Takuo KITAME <email address hidden> Thu, 25 Aug 2005 14:58:34 +0900

Closing now.

Regards,

Adam

Revision history for this message
In , Moritz Muehlenhoff (jmm-inutil) wrote : evolution CVE-2005-2549/CVE-2005-2550

Dear security team,
so far there hasn't been a security update for the latest evolution
vulnerabilities. (CVE-2005-2549/CVE-2005-2550)
I've attached patches for Woody and Sarge. The Sarge fixes are straightforward,
but some comments on Woody, relative to the patch hunks from the Sarge fix:
- accum_attribute() isn't present in Woody, so hunk 1-3 are void.
- the vulnerable code from e-cal-component-preview.c isn't present either.
- the vulnerable code from e-calendar-table.c and e-calendar-view.c is contained
  in Woody, although in a different place. This is exploitable as well, have a
  look at the description of the function that feeds data into ical_string:
  | * cal-client/cal-client.c (cal_client_get_component_as_string): new
  | function to return a complete VCALENDAR string containing a VEVENT
  | or VTODO with all the VTIMEZONEs it uses.

Cheers,
        Moritz

Revision history for this message
Debian Bug Importer (debzilla) wrote :
Download full text (4.3 KiB)

Message-ID: <email address hidden>
Date: Thu, 1 Dec 2005 15:13:42 +0100
From: Moritz Muehlenhoff <email address hidden>
To: <email address hidden>
Cc: <email address hidden>
Subject: evolution CVE-2005-2549/CVE-2005-2550

--G4iJoqBmSsgzjUCe
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline

Dear security team,
so far there hasn't been a security update for the latest evolution
vulnerabilities. (CVE-2005-2549/CVE-2005-2550)
I've attached patches for Woody and Sarge. The Sarge fixes are straightforward,
but some comments on Woody, relative to the patch hunks from the Sarge fix:
- accum_attribute() isn't present in Woody, so hunk 1-3 are void.
- the vulnerable code from e-cal-component-preview.c isn't present either.
- the vulnerable code from e-calendar-table.c and e-calendar-view.c is contained
  in Woody, although in a different place. This is exploitable as well, have a
  look at the description of the function that feeds data into ical_string:
  | * cal-client/cal-client.c (cal_client_get_component_as_string): new
  | function to return a complete VCALENDAR string containing a VEVENT
  | or VTODO with all the VTIMEZONEs it uses.

Cheers,
        Moritz
--G4iJoqBmSsgzjUCe
Content-Type: text/plain; charset=us-ascii
Content-Disposition: attachment; filename="CVE-2005-2549-CVE-2005-2550-evolution-sarge.patch"

diff -Naur evolution-2.0.4.orig/addressbook/gui/widgets/eab-contact-display.c evolution-2.0.4/addressbook/gui/widgets/eab-contact-display.c
--- evolution-2.0.4.orig/addressbook/gui/widgets/eab-contact-display.c Mon Feb 14 17:09:03 2005
+++ evolution-2.0.4/addressbook/gui/widgets/eab-contact-display.c Fri Nov 25 16:50:43 2005
@@ -338,7 +338,7 @@
  accum_attribute (accum, contact, _("Yahoo"), E_CONTACT_IM_YAHOO_HOME_1, YAHOO_ICON, 0);

  if (accum->len > 0)
- gtk_html_stream_printf (html_stream, accum->str);
+ gtk_html_stream_printf (html_stream, "%s", accum->str);

  end_block (html_stream);

@@ -353,7 +353,7 @@

  if (accum->len > 0) {
   start_block (html_stream, _("work"));
- gtk_html_stream_printf (html_stream, accum->str);
+ gtk_html_stream_printf (html_stream, "%s", accum->str);
   end_block (html_stream);
  }

@@ -368,7 +368,7 @@

  if (accum->len > 0) {
   start_block (html_stream, _("personal"));
- gtk_html_stream_printf (html_stream, accum->str);
+ gtk_html_stream_printf (html_stream, "%s", accum->str);
   end_block (html_stream);
  }

diff -Naur evolution-2.0.4.orig/calendar/gui/e-cal-component-preview.c evolution-2.0.4/calendar/gui/e-cal-component-preview.c
--- evolution-2.0.4.orig/calendar/gui/e-cal-component-preview.c Sun Apr 18 20:01:19 2004
+++ evolution-2.0.4/calendar/gui/e-cal-component-preview.c Fri Nov 25 16:50:43 2005
@@ -285,7 +285,7 @@
      str = g_string_append_c (str, text.value[i]);
    }

- gtk_html_stream_printf (stream, str->str);
+ gtk_html_stream_printf (stream, "%s", str->str);
    g_string_free (str, TRUE);
   }

diff -Naur evolution-2.0.4.orig/calendar/gui/e-calendar-table.c evolution-2.0.4/calendar/gui/e-calendar-table.c
--- evolution-2.0.4.orig/calendar/gui/e-calendar-table.c Fri Sep 24 17:49:27 2004
+++ evolution-2.0.4/calendar/gui/e-ca...

Read more...

Revision history for this message
In , Martin Schulze (joey-infodrom) wrote :
Download full text (4.0 KiB)

Moritz Muehlenhoff wrote:
> Dear security team,
> so far there hasn't been a security update for the latest evolution
> vulnerabilities. (CVE-2005-2549/CVE-2005-2550)
> I've attached patches for Woody and Sarge. The Sarge fixes are straightforward,
> but some comments on Woody, relative to the patch hunks from the Sarge fix:
> - accum_attribute() isn't present in Woody, so hunk 1-3 are void.
> - the vulnerable code from e-cal-component-preview.c isn't present either.
> - the vulnerable code from e-calendar-table.c and e-calendar-view.c is contained
> in Woody, although in a different place. This is exploitable as well, have a
> look at the description of the function that feeds data into ical_string:
> | * cal-client/cal-client.c (cal_client_get_component_as_string): new
> | function to return a complete VCALENDAR string containing a VEVENT
> | or VTODO with all the VTIMEZONEs it uses.

Please go ahead.

Regards,

 Joey

> Cheers,
> Moritz
> diff -Naur evolution-2.0.4.orig/addressbook/gui/widgets/eab-contact-display.c evolution-2.0.4/addressbook/gui/widgets/eab-contact-display.c
> --- evolution-2.0.4.orig/addressbook/gui/widgets/eab-contact-display.c Mon Feb 14 17:09:03 2005
> +++ evolution-2.0.4/addressbook/gui/widgets/eab-contact-display.c Fri Nov 25 16:50:43 2005
> @@ -338,7 +338,7 @@
> accum_attribute (accum, contact, _("Yahoo"), E_CONTACT_IM_YAHOO_HOME_1, YAHOO_ICON, 0);
>
> if (accum->len > 0)
> - gtk_html_stream_printf (html_stream, accum->str);
> + gtk_html_stream_printf (html_stream, "%s", accum->str);
>
> end_block (html_stream);
>
> @@ -353,7 +353,7 @@
>
> if (accum->len > 0) {
> start_block (html_stream, _("work"));
> - gtk_html_stream_printf (html_stream, accum->str);
> + gtk_html_stream_printf (html_stream, "%s", accum->str);
> end_block (html_stream);
> }
>
> @@ -368,7 +368,7 @@
>
> if (accum->len > 0) {
> start_block (html_stream, _("personal"));
> - gtk_html_stream_printf (html_stream, accum->str);
> + gtk_html_stream_printf (html_stream, "%s", accum->str);
> end_block (html_stream);
> }
>
> diff -Naur evolution-2.0.4.orig/calendar/gui/e-cal-component-preview.c evolution-2.0.4/calendar/gui/e-cal-component-preview.c
> --- evolution-2.0.4.orig/calendar/gui/e-cal-component-preview.c Sun Apr 18 20:01:19 2004
> +++ evolution-2.0.4/calendar/gui/e-cal-component-preview.c Fri Nov 25 16:50:43 2005
> @@ -285,7 +285,7 @@
> str = g_string_append_c (str, text.value[i]);
> }
>
> - gtk_html_stream_printf (stream, str->str);
> + gtk_html_stream_printf (stream, "%s", str->str);
> g_string_free (str, TRUE);
> }
>
> diff -Naur evolution-2.0.4.orig/calendar/gui/e-calendar-table.c evolution-2.0.4/calendar/gui/e-calendar-table.c
> --- evolution-2.0.4.orig/calendar/gui/e-calendar-table.c Fri Sep 24 17:49:27 2004
> +++ evolution-2.0.4/calendar/gui/e-calendar-table.c Fri Nov 25 16:50:43 2005
> @@ -1212,7 +1212,7 @@
> return;
> }
>
> - fprintf (file, ical_string);
> + fprintf (file, "%s", ical_string);
> g_free (ical_string);
> fclose (file);
> }
> diff -Naur evolution-2.0.4.orig/calendar/gui/e-calendar-view.c evolution-2.0.4/calendar/gui/e-calend...

Read more...

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.