evolution: Multiple format string vulnerabilities in Evolution

Debian Bug report logs - #322535
evolution: Multiple format string vulnerabilities in Evolution

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Moritz Muehlenhoff <jmm@inutil.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: evolution: Multiple format string vulnerabilities in Evolution

Date: Thu, 11 Aug 2005 11:25:46 +0200

Package: evolution
Severity: grave
Tags: security

Multiple exploitable format string vulnerabilities have been found in
Evolution. Please see 
http://www.securityfocus.com/archive/1/407789/30/0/threaded
for details. 2.3.7 fixes all these issues.

Cheers,
        Moritz

-- System Information:
Debian Release: testing/unstable
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.12-rc5
Locale: LANG=C, LC_CTYPE=de_DE.ISO-8859-15@euro (charmap=ISO-8859-15)

Message #10 received at 322535@bugs.debian.org (full text, mbox, reply):

From: Ulf Harnhammar <metaur@telia.com>

To: 322535@bugs.debian.org

Subject: Patch

Date: Sat, 13 Aug 2005 12:47:45 +0200

If you don't want to upgrade to 2.3.7, which is unstable, you
can use our unofficial patch:

  o  http://www.sitic.se/dokument/evolution.formatstring.patch

// Ulf

Message #15 received at 322535@bugs.debian.org (full text, mbox, reply):

From: Neil McGovern <neilm@debian.org>

To: 322535@bugs.debian.org

Subject: NMU

Date: Mon, 22 Aug 2005 22:24:16 +0100

[Message part 1 (text/plain, inline)]

Hi there,

Can you please update the package.
If there's no reply by Friday, I'll prepare an NMU.

Many thanks,
Neil McGovern
-- 
   __   
 .Ž  `. neilm@debian.org | Application Manager
 : :' ! ---------------- | Secure-Testing Team member
 `. `Ž  gpg: B345BDD3    | Webapps Team member
   `-   Please don't cc, I'm subscribed to the list

[signature.asc (application/pgp-signature, inline)]

Message #20 received at 322535@bugs.debian.org (full text, mbox, reply):

From: Takuo KITAME <kitame@debian.org>

To: 322535@bugs.debian.org, Neil McGovern <neilm@debian.org>

Subject: Re: [Evolution] Bug#322535: NMU

Date: Thu, 25 Aug 2005 10:37:48 +0900

2005-08-22 (月) の 22:24 +0100 に Neil McGovern さんは書きました:
> Hi there,
> 
> Can you please update the package.
> If there's no reply by Friday, I'll prepare an NMU.
> 
> Many thanks,
> Neil McGovern

It seems no upstream release for 2.2.x (stable).
Please wait.

-- 
Takuo KITAME

Message #25 received at 322535@bugs.debian.org (full text, mbox, reply):

From: Neil McGovern <neilm@debian.org>

To: 322535@bugs.debian.org

Subject: Re: [Evolution] Bug#322535: NMU

Date: Fri, 26 Aug 2005 21:23:31 +0100

[Message part 1 (text/plain, inline)]

Hi there,

Although there's no new upstream stable, there's a nice patch that would
fix this security bug. See earlier in the thread.

Could you please apply this?

Cheers,
Neil
-- 
   __   
 .Ž  `. neilm@debian.org | Application Manager
 : :' ! ---------------- | Secure-Testing Team member
 `. `Ž  gpg: B345BDD3    | Webapps Team member
   `-   Please don't cc, I'm subscribed to the list

[signature.asc (application/pgp-signature, inline)]

Message #30 received at 322535-done@bugs.debian.org (full text, mbox, reply):

From: "Adam D. Barratt" <debian-bts@adam-barratt.org.uk>

To: 322535-done@bugs.debian.org, 322535-submitter@bugs.debian.org

Cc: neilm@debian.org

Subject: #322535 appears to be fixed

Date: Sat, 27 Aug 2005 18:41:57 +0100

Version: 2.2.3-3

Hi,

It looks like this was fixed in the evolution 2.2.3-3 packages uploaded
on Thursday, but not closed due to a typo in the changelog:

evolution (2.2.3-3) unstable; urgency=high

   * security fix. (closes: Bug#32253)
     - Multiple exploitable format string vulnerabilities
       Applied unofficial security fix patch from
       http://www.sitic.se/dokument/evolution.formatstring.patch

 -- Takuo KITAME <kitame@debian.org>  Thu, 25 Aug 2005 14:58:34 +0900

Closing now.

Regards,

Adam

Message #38 received at 322535@bugs.debian.org (full text, mbox, reply):

From: Moritz Muehlenhoff <jmm@inutil.org>

To: team@security.debian.org

Cc: 322535@bugs.debian.org

Subject: evolution CVE-2005-2549/CVE-2005-2550

Date: Thu, 1 Dec 2005 15:13:42 +0100

[Message part 1 (text/plain, inline)]

Dear security team,
so far there hasn't been a security update for the latest evolution
vulnerabilities. (CVE-2005-2549/CVE-2005-2550)
I've attached patches for Woody and Sarge. The Sarge fixes are straightforward,
but some comments on Woody, relative to the patch hunks from the Sarge fix:
- accum_attribute() isn't present in Woody, so hunk 1-3 are void.
- the vulnerable code from e-cal-component-preview.c isn't present either.
- the vulnerable code from e-calendar-table.c and e-calendar-view.c is contained
  in Woody, although in a different place. This is exploitable as well, have a
  look at the description of the function that feeds data into ical_string:
  | * cal-client/cal-client.c (cal_client_get_component_as_string): new
  |   function to return a complete VCALENDAR string containing a VEVENT
  |   or VTODO with all the VTIMEZONEs it uses.

Cheers,
        Moritz

[CVE-2005-2549-CVE-2005-2550-evolution-sarge.patch (text/plain, attachment)]

[CVE-2005-2549-CVE-2005-2550-evolution-woody.patch (text/plain, attachment)]

Message #43 received at 322535@bugs.debian.org (full text, mbox, reply):

From: Martin Schulze <joey@infodrom.org>

To: Moritz Muehlenhoff <jmm@inutil.org>

Cc: team@security.debian.org, 322535@bugs.debian.org

Subject: Re: evolution CVE-2005-2549/CVE-2005-2550

Date: Mon, 6 Feb 2006 15:52:00 +0100

Moritz Muehlenhoff wrote:
> Dear security team,
> so far there hasn't been a security update for the latest evolution
> vulnerabilities. (CVE-2005-2549/CVE-2005-2550)
> I've attached patches for Woody and Sarge. The Sarge fixes are straightforward,
> but some comments on Woody, relative to the patch hunks from the Sarge fix:
> - accum_attribute() isn't present in Woody, so hunk 1-3 are void.
> - the vulnerable code from e-cal-component-preview.c isn't present either.
> - the vulnerable code from e-calendar-table.c and e-calendar-view.c is contained
>   in Woody, although in a different place. This is exploitable as well, have a
>   look at the description of the function that feeds data into ical_string:
>   | * cal-client/cal-client.c (cal_client_get_component_as_string): new
>   |   function to return a complete VCALENDAR string containing a VEVENT
>   |   or VTODO with all the VTIMEZONEs it uses.

Please go ahead.

Regards,

	Joey

> Cheers,
>         Moritz
> diff -Naur evolution-2.0.4.orig/addressbook/gui/widgets/eab-contact-display.c evolution-2.0.4/addressbook/gui/widgets/eab-contact-display.c
> --- evolution-2.0.4.orig/addressbook/gui/widgets/eab-contact-display.c	Mon Feb 14 17:09:03 2005
> +++ evolution-2.0.4/addressbook/gui/widgets/eab-contact-display.c	Fri Nov 25 16:50:43 2005
> @@ -338,7 +338,7 @@
>  	accum_attribute (accum, contact, _("Yahoo"), E_CONTACT_IM_YAHOO_HOME_1, YAHOO_ICON, 0);
>  
>  	if (accum->len > 0)
> -		gtk_html_stream_printf (html_stream, accum->str);
> +		gtk_html_stream_printf (html_stream, "%s", accum->str);
>  
>  	end_block (html_stream);
>  
> @@ -353,7 +353,7 @@
>  
>  	if (accum->len > 0) {
>  		start_block (html_stream, _("work"));
> -		gtk_html_stream_printf (html_stream, accum->str);
> +		gtk_html_stream_printf (html_stream, "%s", accum->str);
>  		end_block (html_stream);
>  	}
>  
> @@ -368,7 +368,7 @@
>  
>  	if (accum->len > 0) {
>  		start_block (html_stream, _("personal"));
> -		gtk_html_stream_printf (html_stream, accum->str);
> +		gtk_html_stream_printf (html_stream, "%s", accum->str);
>  		end_block (html_stream);
>  	}
>  
> diff -Naur evolution-2.0.4.orig/calendar/gui/e-cal-component-preview.c evolution-2.0.4/calendar/gui/e-cal-component-preview.c
> --- evolution-2.0.4.orig/calendar/gui/e-cal-component-preview.c	Sun Apr 18 20:01:19 2004
> +++ evolution-2.0.4/calendar/gui/e-cal-component-preview.c	Fri Nov 25 16:50:43 2005
> @@ -285,7 +285,7 @@
>  					str = g_string_append_c (str, text.value[i]);
>  			}
>  
> -			gtk_html_stream_printf (stream, str->str);
> +			gtk_html_stream_printf (stream, "%s", str->str);
>  			g_string_free (str, TRUE);
>  		}
>  
> diff -Naur evolution-2.0.4.orig/calendar/gui/e-calendar-table.c evolution-2.0.4/calendar/gui/e-calendar-table.c
> --- evolution-2.0.4.orig/calendar/gui/e-calendar-table.c	Fri Sep 24 17:49:27 2004
> +++ evolution-2.0.4/calendar/gui/e-calendar-table.c	Fri Nov 25 16:50:43 2005
> @@ -1212,7 +1212,7 @@
>  		return;
>  	}
>  	
> -	fprintf (file, ical_string);
> +	fprintf (file, "%s", ical_string);
>  	g_free (ical_string);
>  	fclose (file);
>  }
> diff -Naur evolution-2.0.4.orig/calendar/gui/e-calendar-view.c evolution-2.0.4/calendar/gui/e-calendar-view.c
> --- evolution-2.0.4.orig/calendar/gui/e-calendar-view.c	Mon Feb 14 17:09:04 2005
> +++ evolution-2.0.4/calendar/gui/e-calendar-view.c	Fri Nov 25 16:50:43 2005
> @@ -1074,7 +1074,7 @@
>  		return;
>  	}
>  	
> -	fprintf (file, ical_string);
> +	fprintf (file, "%s", ical_string);
>  	g_free (ical_string);
>  	fclose (file);
>  

> diff -Naur evolution-1.0.5.orig/calendar/gui/dialogs/comp-editor.c evolution-1.0.5/calendar/gui/dialogs/comp-editor.c
> --- evolution-1.0.5.orig/calendar/gui/dialogs/comp-editor.c	2002-02-19 16:33:02.000000000 +0100
> +++ evolution-1.0.5/calendar/gui/dialogs/comp-editor.c	2005-12-01 15:01:23.000000000 +0100
> @@ -1088,7 +1088,7 @@
>  			return;
>  		}
>  
> -		fprintf (file, ical_string);
> +		fprintf (file, "%s", ical_string);
>  		g_free (ical_string);
>  		fclose (file);
>  


-- 
Reading is a lost art nowadays.  -- Michael Weber

Please always Cc to me when replying to me on the lists.

Send a report that this bug log contains spam.