Debian Bug report logs -
#322535
evolution: Multiple format string vulnerabilities in Evolution
Reported by: Moritz Muehlenhoff <jmm@inutil.org>
Date: Thu, 11 Aug 2005 09:33:12 UTC
Severity: grave
Tags: security
Fixed in version 2.2.3-3
Done: "Adam D. Barratt" <debian-bts@adam-barratt.org.uk>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded to debian-bugs-dist@lists.debian.org, Debian Evolution Maintainers <pkg-evolution-maintainers@lists.alioth.debian.org>
:
Bug#322535
; Package evolution
.
(full text, mbox, link).
Acknowledgement sent to Moritz Muehlenhoff <jmm@inutil.org>
:
New Bug report received and forwarded. Copy sent to Debian Evolution Maintainers <pkg-evolution-maintainers@lists.alioth.debian.org>
.
(full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: evolution
Severity: grave
Tags: security
Multiple exploitable format string vulnerabilities have been found in
Evolution. Please see
http://www.securityfocus.com/archive/1/407789/30/0/threaded
for details. 2.3.7 fixes all these issues.
Cheers,
Moritz
-- System Information:
Debian Release: testing/unstable
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: i386 (i686)
Shell: /bin/sh linked to /bin/bash
Kernel: Linux 2.6.12-rc5
Locale: LANG=C, LC_CTYPE=de_DE.ISO-8859-15@euro (charmap=ISO-8859-15)
Information forwarded to debian-bugs-dist@lists.debian.org, Debian Evolution Maintainers <pkg-evolution-maintainers@lists.alioth.debian.org>
:
Bug#322535
; Package evolution
.
(full text, mbox, link).
Acknowledgement sent to metaur@telia.com
:
Extra info received and forwarded to list. Copy sent to Debian Evolution Maintainers <pkg-evolution-maintainers@lists.alioth.debian.org>
.
(full text, mbox, link).
Message #10 received at 322535@bugs.debian.org (full text, mbox, reply):
If you don't want to upgrade to 2.3.7, which is unstable, you
can use our unofficial patch:
o http://www.sitic.se/dokument/evolution.formatstring.patch
// Ulf
Information forwarded to debian-bugs-dist@lists.debian.org, Debian Evolution Maintainers <pkg-evolution-maintainers@lists.alioth.debian.org>
:
Bug#322535
; Package evolution
.
(full text, mbox, link).
Acknowledgement sent to Neil McGovern <neilm@debian.org>
:
Extra info received and forwarded to list. Copy sent to Debian Evolution Maintainers <pkg-evolution-maintainers@lists.alioth.debian.org>
.
(full text, mbox, link).
Message #15 received at 322535@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Hi there,
Can you please update the package.
If there's no reply by Friday, I'll prepare an NMU.
Many thanks,
Neil McGovern
--
__
.Ž `. neilm@debian.org | Application Manager
: :' ! ---------------- | Secure-Testing Team member
`. `Ž gpg: B345BDD3 | Webapps Team member
`- Please don't cc, I'm subscribed to the list
[signature.asc (application/pgp-signature, inline)]
Information forwarded to debian-bugs-dist@lists.debian.org, Debian Evolution Maintainers <pkg-evolution-maintainers@lists.alioth.debian.org>
:
Bug#322535
; Package evolution
.
(full text, mbox, link).
Acknowledgement sent to Takuo KITAME <kitame@debian.org>
:
Extra info received and forwarded to list. Copy sent to Debian Evolution Maintainers <pkg-evolution-maintainers@lists.alioth.debian.org>
.
(full text, mbox, link).
Message #20 received at 322535@bugs.debian.org (full text, mbox, reply):
2005-08-22 (月) の 22:24 +0100 に Neil McGovern さんは書きました:
> Hi there,
>
> Can you please update the package.
> If there's no reply by Friday, I'll prepare an NMU.
>
> Many thanks,
> Neil McGovern
It seems no upstream release for 2.2.x (stable).
Please wait.
--
Takuo KITAME
Information forwarded to debian-bugs-dist@lists.debian.org, Debian Evolution Maintainers <pkg-evolution-maintainers@lists.alioth.debian.org>
:
Bug#322535
; Package evolution
.
(full text, mbox, link).
Acknowledgement sent to Neil McGovern <neilm@debian.org>
:
Extra info received and forwarded to list. Copy sent to Debian Evolution Maintainers <pkg-evolution-maintainers@lists.alioth.debian.org>
.
(full text, mbox, link).
Message #25 received at 322535@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Hi there,
Although there's no new upstream stable, there's a nice patch that would
fix this security bug. See earlier in the thread.
Could you please apply this?
Cheers,
Neil
--
__
.Ž `. neilm@debian.org | Application Manager
: :' ! ---------------- | Secure-Testing Team member
`. `Ž gpg: B345BDD3 | Webapps Team member
`- Please don't cc, I'm subscribed to the list
[signature.asc (application/pgp-signature, inline)]
Reply sent to "Adam D. Barratt" <debian-bts@adam-barratt.org.uk>
:
You have taken responsibility.
(full text, mbox, link).
Notification sent to Moritz Muehlenhoff <jmm@inutil.org>
:
Bug acknowledged by developer.
(full text, mbox, link).
Message #30 received at 322535-done@bugs.debian.org (full text, mbox, reply):
Version: 2.2.3-3
Hi,
It looks like this was fixed in the evolution 2.2.3-3 packages uploaded
on Thursday, but not closed due to a typo in the changelog:
evolution (2.2.3-3) unstable; urgency=high
* security fix. (closes: Bug#32253)
- Multiple exploitable format string vulnerabilities
Applied unofficial security fix patch from
http://www.sitic.se/dokument/evolution.formatstring.patch
-- Takuo KITAME <kitame@debian.org> Thu, 25 Aug 2005 14:58:34 +0900
Closing now.
Regards,
Adam
Message sent on to Moritz Muehlenhoff <jmm@inutil.org>
:
Bug#322535.
(full text, mbox, link).
Information forwarded to debian-bugs-dist@lists.debian.org, Debian Evolution Maintainers <pkg-evolution-maintainers@lists.alioth.debian.org>
:
Bug#322535
; Package evolution
.
(full text, mbox, link).
Acknowledgement sent to Moritz Muehlenhoff <jmm@inutil.org>
:
Extra info received and forwarded to list. Copy sent to Debian Evolution Maintainers <pkg-evolution-maintainers@lists.alioth.debian.org>
.
(full text, mbox, link).
Message #38 received at 322535@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Dear security team,
so far there hasn't been a security update for the latest evolution
vulnerabilities. (CVE-2005-2549/CVE-2005-2550)
I've attached patches for Woody and Sarge. The Sarge fixes are straightforward,
but some comments on Woody, relative to the patch hunks from the Sarge fix:
- accum_attribute() isn't present in Woody, so hunk 1-3 are void.
- the vulnerable code from e-cal-component-preview.c isn't present either.
- the vulnerable code from e-calendar-table.c and e-calendar-view.c is contained
in Woody, although in a different place. This is exploitable as well, have a
look at the description of the function that feeds data into ical_string:
| * cal-client/cal-client.c (cal_client_get_component_as_string): new
| function to return a complete VCALENDAR string containing a VEVENT
| or VTODO with all the VTIMEZONEs it uses.
Cheers,
Moritz
[CVE-2005-2549-CVE-2005-2550-evolution-sarge.patch (text/plain, attachment)]
[CVE-2005-2549-CVE-2005-2550-evolution-woody.patch (text/plain, attachment)]
Information forwarded to debian-bugs-dist@lists.debian.org, Debian Evolution Maintainers <pkg-evolution-maintainers@lists.alioth.debian.org>
:
Bug#322535
; Package evolution
.
(full text, mbox, link).
Acknowledgement sent to Martin Schulze <joey@infodrom.org>
:
Extra info received and forwarded to list. Copy sent to Debian Evolution Maintainers <pkg-evolution-maintainers@lists.alioth.debian.org>
.
(full text, mbox, link).
Message #43 received at 322535@bugs.debian.org (full text, mbox, reply):
Moritz Muehlenhoff wrote:
> Dear security team,
> so far there hasn't been a security update for the latest evolution
> vulnerabilities. (CVE-2005-2549/CVE-2005-2550)
> I've attached patches for Woody and Sarge. The Sarge fixes are straightforward,
> but some comments on Woody, relative to the patch hunks from the Sarge fix:
> - accum_attribute() isn't present in Woody, so hunk 1-3 are void.
> - the vulnerable code from e-cal-component-preview.c isn't present either.
> - the vulnerable code from e-calendar-table.c and e-calendar-view.c is contained
> in Woody, although in a different place. This is exploitable as well, have a
> look at the description of the function that feeds data into ical_string:
> | * cal-client/cal-client.c (cal_client_get_component_as_string): new
> | function to return a complete VCALENDAR string containing a VEVENT
> | or VTODO with all the VTIMEZONEs it uses.
Please go ahead.
Regards,
Joey
> Cheers,
> Moritz
> diff -Naur evolution-2.0.4.orig/addressbook/gui/widgets/eab-contact-display.c evolution-2.0.4/addressbook/gui/widgets/eab-contact-display.c
> --- evolution-2.0.4.orig/addressbook/gui/widgets/eab-contact-display.c Mon Feb 14 17:09:03 2005
> +++ evolution-2.0.4/addressbook/gui/widgets/eab-contact-display.c Fri Nov 25 16:50:43 2005
> @@ -338,7 +338,7 @@
> accum_attribute (accum, contact, _("Yahoo"), E_CONTACT_IM_YAHOO_HOME_1, YAHOO_ICON, 0);
>
> if (accum->len > 0)
> - gtk_html_stream_printf (html_stream, accum->str);
> + gtk_html_stream_printf (html_stream, "%s", accum->str);
>
> end_block (html_stream);
>
> @@ -353,7 +353,7 @@
>
> if (accum->len > 0) {
> start_block (html_stream, _("work"));
> - gtk_html_stream_printf (html_stream, accum->str);
> + gtk_html_stream_printf (html_stream, "%s", accum->str);
> end_block (html_stream);
> }
>
> @@ -368,7 +368,7 @@
>
> if (accum->len > 0) {
> start_block (html_stream, _("personal"));
> - gtk_html_stream_printf (html_stream, accum->str);
> + gtk_html_stream_printf (html_stream, "%s", accum->str);
> end_block (html_stream);
> }
>
> diff -Naur evolution-2.0.4.orig/calendar/gui/e-cal-component-preview.c evolution-2.0.4/calendar/gui/e-cal-component-preview.c
> --- evolution-2.0.4.orig/calendar/gui/e-cal-component-preview.c Sun Apr 18 20:01:19 2004
> +++ evolution-2.0.4/calendar/gui/e-cal-component-preview.c Fri Nov 25 16:50:43 2005
> @@ -285,7 +285,7 @@
> str = g_string_append_c (str, text.value[i]);
> }
>
> - gtk_html_stream_printf (stream, str->str);
> + gtk_html_stream_printf (stream, "%s", str->str);
> g_string_free (str, TRUE);
> }
>
> diff -Naur evolution-2.0.4.orig/calendar/gui/e-calendar-table.c evolution-2.0.4/calendar/gui/e-calendar-table.c
> --- evolution-2.0.4.orig/calendar/gui/e-calendar-table.c Fri Sep 24 17:49:27 2004
> +++ evolution-2.0.4/calendar/gui/e-calendar-table.c Fri Nov 25 16:50:43 2005
> @@ -1212,7 +1212,7 @@
> return;
> }
>
> - fprintf (file, ical_string);
> + fprintf (file, "%s", ical_string);
> g_free (ical_string);
> fclose (file);
> }
> diff -Naur evolution-2.0.4.orig/calendar/gui/e-calendar-view.c evolution-2.0.4/calendar/gui/e-calendar-view.c
> --- evolution-2.0.4.orig/calendar/gui/e-calendar-view.c Mon Feb 14 17:09:04 2005
> +++ evolution-2.0.4/calendar/gui/e-calendar-view.c Fri Nov 25 16:50:43 2005
> @@ -1074,7 +1074,7 @@
> return;
> }
>
> - fprintf (file, ical_string);
> + fprintf (file, "%s", ical_string);
> g_free (ical_string);
> fclose (file);
>
> diff -Naur evolution-1.0.5.orig/calendar/gui/dialogs/comp-editor.c evolution-1.0.5/calendar/gui/dialogs/comp-editor.c
> --- evolution-1.0.5.orig/calendar/gui/dialogs/comp-editor.c 2002-02-19 16:33:02.000000000 +0100
> +++ evolution-1.0.5/calendar/gui/dialogs/comp-editor.c 2005-12-01 15:01:23.000000000 +0100
> @@ -1088,7 +1088,7 @@
> return;
> }
>
> - fprintf (file, ical_string);
> + fprintf (file, "%s", ical_string);
> g_free (ical_string);
> fclose (file);
>
--
Reading is a lost art nowadays. -- Michael Weber
Please always Cc to me when replying to me on the lists.
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org
.
(Mon, 25 Jun 2007 04:56:33 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 14:29:10 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.