Two buffer overflows in evolution

Debian Bug report logs - #484639
Two buffer overflows in evolution

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Steffen Joeris <steffen.joeris@skolelinux.de>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: Two buffer overflows in evolution

Date: Thu, 05 Jun 2008 19:18:43 +1000

Package: evolution
Version: 2.22.2-1
Severity: grave
Tags: security, patch
Justification: user security hole

Hi

The following CVEs[0][1] have been issued against evolution.

CVE-2008-1108:

The vulnerability is caused due to a boundary error when parsing
timezone strings contained within iCalendar attachments. This can be
exploited to overflow a static buffer via an overly long timezone
string.

Successful exploitation allows execution of arbitrary code, but
requires that the ITip Formatter plugin is disabled.


CVE-2008-2119:

The vulnerability is caused due to a boundary error when replying to
an iCalendar request while in calendar view. This can be exploited to
cause a heap-based buffer overflow via an overly long "DESCRIPTION"
property included in an iCalendar attachment.

Successful exploitation allows execution of arbitrary code, but
requires that the user accepts the iCalendar request and replies
to it from the "Calendars" window.

The gentoo bugreport can be found here[2] together with patches[3][4].


Please mention the CVE ids in your changelog, when you fix the issues.

Cheers
Steffen

[0]: http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-1108

[1]: http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-1109

[2]: http://bugs.gentoo.org/show_bug.cgi?id=223963

[3]: http://bugs.gentoo.org/attachment.cgi?id=154593

[4]: http://bugs.gentoo.org/attachment.cgi?id=154595

Message #10 received at 484639@bugs.debian.org (full text, mbox, reply):

From: Steffen Joeris <steffen.joeris@skolelinux.de>

To: 484639@bugs.debian.org

Subject: NMU patch for evolution

Date: Sat, 7 Jun 2008 14:29:03 +1000

[Message part 1 (text/plain, inline)]

Hi

Attached you'll find the NMU patch. Please note that it also fixes a potential 
crash, which could be triggered by a remote DoS attack.
See http://bugzilla.gnome.org/show_bug.cgi?id=535459

Cheers
Steffen

[nmu.patch (text/x-diff, attachment)]

[signature.asc (application/pgp-signature, inline)]

Message #15 received at 484639-close@bugs.debian.org (full text, mbox, reply):

From: Steffen Joeris <white@debian.org>

To: 484639-close@bugs.debian.org

Subject: Bug#484639: fixed in evolution 2.22.2-1.1

Date: Sat, 07 Jun 2008 04:47:10 +0000

Source: evolution
Source-Version: 2.22.2-1.1

We believe that the bug you reported is fixed in the latest version of
evolution, which is due to be installed in the Debian FTP archive:

evolution-common_2.22.2-1.1_all.deb
  to pool/main/e/evolution/evolution-common_2.22.2-1.1_all.deb
evolution-dbg_2.22.2-1.1_i386.deb
  to pool/main/e/evolution/evolution-dbg_2.22.2-1.1_i386.deb
evolution-dev_2.22.2-1.1_i386.deb
  to pool/main/e/evolution/evolution-dev_2.22.2-1.1_i386.deb
evolution-plugins-experimental_2.22.2-1.1_i386.deb
  to pool/main/e/evolution/evolution-plugins-experimental_2.22.2-1.1_i386.deb
evolution-plugins_2.22.2-1.1_i386.deb
  to pool/main/e/evolution/evolution-plugins_2.22.2-1.1_i386.deb
evolution_2.22.2-1.1.diff.gz
  to pool/main/e/evolution/evolution_2.22.2-1.1.diff.gz
evolution_2.22.2-1.1.dsc
  to pool/main/e/evolution/evolution_2.22.2-1.1.dsc
evolution_2.22.2-1.1_i386.deb
  to pool/main/e/evolution/evolution_2.22.2-1.1_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 484639@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Steffen Joeris <white@debian.org> (supplier of updated evolution package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Sat, 07 Jun 2008 03:14:04 +0000
Source: evolution
Binary: evolution evolution-common evolution-dev evolution-dbg evolution-plugins evolution-plugins-experimental
Architecture: source all i386
Version: 2.22.2-1.1
Distribution: unstable
Urgency: high
Maintainer: Debian Evolution Maintainers <pkg-evolution-maintainers@lists.alioth.debian.org>
Changed-By: Steffen Joeris <white@debian.org>
Description: 
 evolution  - groupware suite with mail client and organizer
 evolution-common - architecture independent files for Evolution
 evolution-dbg - debugging symbols for Evolution
 evolution-dev - development library files for Evolution
 evolution-plugins - standard plugins for Evolution
 evolution-plugins-experimental - experimental plugins for Evolution
Closes: 484639
Changes: 
 evolution (2.22.2-1.1) unstable; urgency=high
 .
   * Non-maintainer upload by the security team
   * Fix two buffer overflows and a possible DoS attack (Closes: 484639)
    - Use a Gstring instead of a fixed sized buffer to build the HTML
      string
      Fixes: CVE-2008-1108
    - Avoid using a fixed sized buffer for parsing external data
      Fixes: CVE-2008-1109
    - Add sanity checks to avoid remotely triggered DoS
      See http://bugzilla.gnome.org/show_bug.cgi?id=535459
Checksums-Sha1: 
 a5d17537678366b3dd8d3195bff7e208613127f1 2824 evolution_2.22.2-1.1.dsc
 1325d44d5aa792098ab45026e2cd5278f01c4899 29525 evolution_2.22.2-1.1.diff.gz
 e3ea5809bd7fed28e4944e7081af9203f03f002e 58463002 evolution-common_2.22.2-1.1_all.deb
 d0b381fd6e4cbaf85e5e895ee985f78247c575ee 2750302 evolution_2.22.2-1.1_i386.deb
 71108b8c8ee68bc884da86868ce646d59f18989a 250076 evolution-dev_2.22.2-1.1_i386.deb
 f9e923eb6cd9ce39ef10480de239a3ad7aa947dd 6998964 evolution-dbg_2.22.2-1.1_i386.deb
 bfe12a24dca6b70e1acbb9452526748e1d2e959f 174684 evolution-plugins_2.22.2-1.1_i386.deb
 29aeda3c502bc48c828126132d0cbafa92599458 132028 evolution-plugins-experimental_2.22.2-1.1_i386.deb
Checksums-Sha256: 
 6e937cda5003412b8fc99331b8a389a272224aaf7cd4257ebc6cacc88db950eb 2824 evolution_2.22.2-1.1.dsc
 0daefd6d775d8dfba7d26ed33e87a5fd76b50351cc46df8bb052dfe0ad188af1 29525 evolution_2.22.2-1.1.diff.gz
 c8e5d7c9ec8875f0be1854d74526ffea2110c62e51654d15bdd0d2a95b490c1b 58463002 evolution-common_2.22.2-1.1_all.deb
 03c205873d8493442475549eeee029246542822aafdb500294365fd1e5993b76 2750302 evolution_2.22.2-1.1_i386.deb
 6db40478ece991f4a7e7ce7316ab42bbd127c657210aa727e067cd022efa0351 250076 evolution-dev_2.22.2-1.1_i386.deb
 626465918ea31e4b6037ff9e14ff30898ed8e67fc62f0d8d24f503f82640d6ed 6998964 evolution-dbg_2.22.2-1.1_i386.deb
 60208e69a08f61d9a90d951490f6a0893c0c7130462b73c0e71d06e01b843954 174684 evolution-plugins_2.22.2-1.1_i386.deb
 9cd4d67fa67431809ffbc6764d19570a3e28c0c31ed4b99d525b748ad460c92d 132028 evolution-plugins-experimental_2.22.2-1.1_i386.deb
Files: 
 518abe2c475209ec4069dd7d6a039018 2824 gnome optional evolution_2.22.2-1.1.dsc
 1ce700c6f6dfd20200c5a1a74e326e62 29525 gnome optional evolution_2.22.2-1.1.diff.gz
 c50d712bf0a3cb048c65ac2fb50a61e1 58463002 gnome optional evolution-common_2.22.2-1.1_all.deb
 d150ba4eac8138917c416f16f8a66421 2750302 gnome optional evolution_2.22.2-1.1_i386.deb
 c1e4fe41fe4422fb6b3cdd48da247d1e 250076 devel optional evolution-dev_2.22.2-1.1_i386.deb
 46bef6fe9cdc606fb4181709f95c81ee 6998964 gnome extra evolution-dbg_2.22.2-1.1_i386.deb
 5f95593504cd32cff086d8663e4f8fca 174684 gnome optional evolution-plugins_2.22.2-1.1_i386.deb
 e44c6fe3a0d2ae7d27fa19b441a25cb2 132028 gnome optional evolution-plugins-experimental_2.22.2-1.1_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkhKDhIACgkQ62zWxYk/rQcu4gCgmqZqlDvaW0YkgRHb0PXOm5OD
2cMAn2LQOwyGf8biKlAgO2sEd2vOai7I
=5jtF
-----END PGP SIGNATURE-----

Message #20 received at 484639-close@bugs.debian.org (full text, mbox, reply):

From: Heikki Henriksen <heikkih@gmail.com>

To: 484639-close@bugs.debian.org

Subject: Bug#484639: fixed in evolution 2.22.3.1-1

Date: Sun, 06 Jul 2008 13:02:12 +0000

Source: evolution
Source-Version: 2.22.3.1-1

We believe that the bug you reported is fixed in the latest version of
evolution, which is due to be installed in the Debian FTP archive:

evolution-common_2.22.3.1-1_all.deb
  to pool/main/e/evolution/evolution-common_2.22.3.1-1_all.deb
evolution-dbg_2.22.3.1-1_i386.deb
  to pool/main/e/evolution/evolution-dbg_2.22.3.1-1_i386.deb
evolution-dev_2.22.3.1-1_i386.deb
  to pool/main/e/evolution/evolution-dev_2.22.3.1-1_i386.deb
evolution-plugins-experimental_2.22.3.1-1_i386.deb
  to pool/main/e/evolution/evolution-plugins-experimental_2.22.3.1-1_i386.deb
evolution-plugins_2.22.3.1-1_i386.deb
  to pool/main/e/evolution/evolution-plugins_2.22.3.1-1_i386.deb
evolution_2.22.3.1-1.diff.gz
  to pool/main/e/evolution/evolution_2.22.3.1-1.diff.gz
evolution_2.22.3.1-1.dsc
  to pool/main/e/evolution/evolution_2.22.3.1-1.dsc
evolution_2.22.3.1-1_i386.deb
  to pool/main/e/evolution/evolution_2.22.3.1-1_i386.deb
evolution_2.22.3.1.orig.tar.gz
  to pool/main/e/evolution/evolution_2.22.3.1.orig.tar.gz



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 484639@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Heikki Henriksen <heikkih@gmail.com> (supplier of updated evolution package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Sun, 06 Jul 2008 13:51:11 +0200
Source: evolution
Binary: evolution evolution-common evolution-dev evolution-dbg evolution-plugins evolution-plugins-experimental
Architecture: source all i386
Version: 2.22.3.1-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Evolution Maintainers <pkg-evolution-maintainers@lists.alioth.debian.org>
Changed-By: Heikki Henriksen <heikkih@gmail.com>
Description: 
 evolution  - groupware suite with mail client and organizer
 evolution-common - architecture independent files for Evolution
 evolution-dbg - debugging symbols for Evolution
 evolution-dev - development library files for Evolution
 evolution-plugins - standard plugins for Evolution
 evolution-plugins-experimental - experimental plugins for Evolution
Closes: 484639 488782
Changes: 
 evolution (2.22.3.1-1) unstable; urgency=medium
 .
   [ Pedro Fragoso ]
   * New upstream bugfix release (Closes: #488782)
     - Fixes security vulnerabilities CVE-2008-1108 and CVE-2008-1109
       (Closes: #484639)
     - Set urgency to medium
   * debian/control:
     - Add myself to Uploaders
     - Bump Standards-Version to 3.8.0 (no changes)
Checksums-Sha1: 
 900c96c47f30d6bd81d9cdce9a958b352aef1360 2875 evolution_2.22.3.1-1.dsc
 fca38c8154469916e732b2d728a6ca668a8d998d 37145864 evolution_2.22.3.1.orig.tar.gz
 de66df78cde39113c5713115da269322fb4bebba 25946 evolution_2.22.3.1-1.diff.gz
 cd4b3c8e27554000c5ac777a52fca03b143fc661 58399886 evolution-common_2.22.3.1-1_all.deb
 e23dd3e6c87d86197eeaa5e80d936c33b38866a3 2760936 evolution_2.22.3.1-1_i386.deb
 1ae74b5da32798294cc3c1b835a1a72f4d608fda 251266 evolution-dev_2.22.3.1-1_i386.deb
 f61734cf31021fed642859cb89e1e1927c10bdd7 6996784 evolution-dbg_2.22.3.1-1_i386.deb
 8360560f09776fdc1ea110b2e356c37b6aa502ab 173726 evolution-plugins_2.22.3.1-1_i386.deb
 da422cc82dfa93a4af244abc79a1c2df801f3610 132740 evolution-plugins-experimental_2.22.3.1-1_i386.deb
Checksums-Sha256: 
 6430e762f4fbd8248de9eb3232e675611696e6d137005d480bada4f34ab4b229 2875 evolution_2.22.3.1-1.dsc
 175fd6f86515bd39d9eb1ae52d27b5cf065fee7ef0a31055d9268e9576f45286 37145864 evolution_2.22.3.1.orig.tar.gz
 400e2be7c25c148e5fa7583987339a2e410d1711555fe4065f1c3dfe3d550646 25946 evolution_2.22.3.1-1.diff.gz
 5421fa28a81ff3d3c1d6ae80efe886ba5d971575f6ad07b8165ab88457a9df5d 58399886 evolution-common_2.22.3.1-1_all.deb
 25ecad8c4bc9519b2e8bf9dcde983d1a4c91dd6b1ab52970f1b774635b71c2bb 2760936 evolution_2.22.3.1-1_i386.deb
 7275eedd97a3b91cba928fad899320cddf303ae817542ada00978ed16c37588e 251266 evolution-dev_2.22.3.1-1_i386.deb
 08e72eb5d54edbd3dc525e9c7249ca2d9bf00b5c523e36b9eac6335a9d74f6c0 6996784 evolution-dbg_2.22.3.1-1_i386.deb
 5d16d9380f1e3b3a270d02fcbfe0f8c4ceb828c3bc8ba799580e03c50e5d234f 173726 evolution-plugins_2.22.3.1-1_i386.deb
 bfa541a9fe052e78f51ef14f60f7f688ddc230d804d3e4d51df7a6a0fea17210 132740 evolution-plugins-experimental_2.22.3.1-1_i386.deb
Files: 
 404c10531cb9bd5006331dd5c20aa88c 2875 gnome optional evolution_2.22.3.1-1.dsc
 f5318451c69c0cfa72651a505e5cda93 37145864 gnome optional evolution_2.22.3.1.orig.tar.gz
 50ce26a47d773763e143b87910bbe503 25946 gnome optional evolution_2.22.3.1-1.diff.gz
 108c0f1620a0098ecfc936dd561a2143 58399886 gnome optional evolution-common_2.22.3.1-1_all.deb
 56f68d9822d216b63b494a9f750664fa 2760936 gnome optional evolution_2.22.3.1-1_i386.deb
 5de63320ec09e56914941d5c0d66a4c1 251266 devel optional evolution-dev_2.22.3.1-1_i386.deb
 f613acd161365ce2ebb30d9014cb488f 6996784 gnome extra evolution-dbg_2.22.3.1-1_i386.deb
 3f6c0ca3515c0c5adc1ae27631e7f220 173726 gnome optional evolution-plugins_2.22.3.1-1_i386.deb
 00c31bb8cff703f055f38128dfd7f370 132740 gnome optional evolution-plugins-experimental_2.22.3.1-1_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkhwuyQACgkQpnfX7JXajqncAQCfSFEhfQU2zdHo5a2mjFoXK4o+
hAEAnAiXYsd1+FZnEdNoU9xYpCHw+9Gf
=ez/M
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.