Evolution vulnerability via HTML frames

Bug #243487 reported by Till Ulen on 2008-06-27
256
Affects Status Importance Assigned to Milestone
LibGtkHTML
Fix Released
Critical
evolution (Ubuntu)
Undecided
Unassigned
Dapper
Undecided
Unassigned
Feisty
Undecided
Unassigned
Gutsy
Undecided
Unassigned
Hardy
Undecided
Unassigned
gtkhtml3.14 (Ubuntu)
High
Ubuntu Desktop Bugs
Dapper
Low
Unassigned
Feisty
Low
Unassigned
Gutsy
Low
Unassigned
Hardy
Low
Ubuntu Desktop Bugs

Bug Description

Binary package hint: evolution

Juan Pablo Lopez Yacubian reported the following vulnerability to Bugtraq:
http://www.securityfocus.com/archive/1/493686/30/0/threaded

Pedro Villavicencio (pedro) wrote :

this has been fixed upstream, comments for further SRU:

"Patch committed to SVN stable (gnome-2-22) branch as r8880
http://svn.gnome.org/viewvc/gtkhtml?view=revision&revision=8880

Patch committed to SVN trunk as r8881
http://svn.gnome.org/viewvc/gtkhtml?view=revision&revision=8881
"

Thanks for reporting.

Changed in evolution:
status: New → Invalid
Changed in libgtkhtml2:
assignee: nobody → desktop-bugs
importance: Undecided → High
status: New → Fix Committed
Changed in evolution:
status: New → Invalid
Changed in gtkhtml3.14:
assignee: nobody → desktop-bugs
Jamie Strandboge (jdstrand) wrote :

This does not appear to be a serious security bug because it requires the user to insert a malicious html file into the mail composer. Based on the patch and (limited) blackbox testing, this does not appear to be remotely exploitable (eg via a crafted html email). The patch fixes reparent_embedded() in gtkhtml.c. This function is called by gtk_html_insert_html_generic(), which is in turn called by gtk_html_insert_html(), gtk_html_insert_gtk_html() and gtk_html_append_html(). These functions are only called via clipboard_paste_received_cb() and code from components/html-editor/engine.c.

I am going to set the priority to Low, as it appears to be just a crasher and requires user assistance.

Changed in gtkhtml3.14:
importance: Undecided → Low
status: New → Triaged
importance: Undecided → Low
status: New → Triaged
importance: Undecided → Low
status: New → Triaged
Changed in gtkhtml3.14:
importance: Undecided → Low
status: New → Triaged
Changed in evolution:
status: New → Invalid
status: New → Invalid
status: New → Invalid
Sebastien Bacher (seb128) wrote :

the new gtkhtml stable version has already been uploaded as an hardy update

Changed in gtkhtml3.14:
status: Triaged → Fix Committed
status: Triaged → Fix Committed
status: Fix Committed → Triaged
status: Fix Committed → In Progress
Changed in gtkhtml3.14:
status: In Progress → Fix Committed
Changed in libgtkhtml:
status: Unknown → Fix Released
Martin Pitt (pitti) wrote :

Accepted into -proposed, please test and give feedback here. Please see https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you in advance!

Sebastien Bacher (seb128) wrote :

a new rebuild revision has been uploaded now to some libglib issues, would be nice to give testing to this one too

Sebastien Bacher (seb128) wrote :

the new version is in intrepid

Changed in gtkhtml3.14:
status: Fix Committed → Fix Released
Sebastien Bacher (seb128) wrote :

the new version is in hardy-updates now

Changed in gtkhtml3.14:
status: Fix Committed → Fix Released
Steve Beattie (sbeattie) wrote :

Is this gtkhtml issue valid for Feisty and Gutsy, and if so, are we going to address this issue in those releases, or, given the low severity of the security vulnerability, should we close those tasks?

Dapper does not appear to include gtkhtml3.14, so I'm marking that task as invalid.

Changed in gtkhtml3.14:
status: Triaged → Invalid
Henrik Nilsen Omma (henrik) wrote :

Feisty is end-of-life -> Won't Fix.

Changed in gtkhtml3.14:
status: Triaged → Won't Fix
Henrik Nilsen Omma (henrik) wrote :

IMO this does not qualify as a high-impact bug in Gutsy, following the guidelines in https://wiki.ubuntu.com/StableReleaseUpdates -> Closing task.

Changed in gtkhtml3.14:
status: Triaged → Won't Fix
Changed in libgtkhtml:
importance: Unknown → Critical
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.