Bug 165236

Summary: CAN-2005-2550 Sitic Vulnerability Advisory: SA05-001 Evolution multiple remote format string bugs (RHEL3)
Product: Red Hat Enterprise Linux 3 Reporter: Dave Malcolm <dmalcolm>
Component: evolutionAssignee: Dave Malcolm <dmalcolm>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: medium    
Version: 3.0CC: security-response-team
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard: impact=important,source=gnome,reported=20050805,public=20050810
Fixed In Version: RHSA-2005-267 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2005-08-29 18:29:56 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 165235    
Bug Blocks:    
Attachments:
Description Flags
Proposed patch to 1.4.5 to fix format strings in calendar code none

Description Dave Malcolm 2005-08-05 18:38:59 UTC 
+++ This bug was initially created as a clone of Bug #165235 +++

(don't yet know if this affects RHEL3)
Comment 1 Dave Malcolm 2005-08-05 20:42:54 UTC 
From versions given in description (see bug 165235) would appear not to affect
RHEL3.  Haven't checked yet though.
Comment 2 Dave Malcolm 2005-08-11 00:49:47 UTC 
It appears that at least part of the advisory may cover Evolution 1.4 and hence
RHEL3, and that there may be other similar vulnerabilities in RHEL3 (but not
RHEL4) that were not covered in Sitic's advisory.

The details: looking at their proposed patch:

calendar/gui/e-cal-component-preview.c: source file doesn't exist on RHEL3
evolution, appears to be no equivalent: OK

addressbook/gui/widgets/eab-contact-display.c: doesn't exist on RHEL3 evolution: OK

addressbook/gui/widgets directory: No usage of gtk_html_stream_printf: OK

calendar/gui/e-calendar-view.c: source file doesn't exist on RHEL3 evolution,
appears to be no equivalent: OK

calendar/gui/e-calendar-table.c: vulnerability appears to be relevant for RHEL3
Evolution, contradicting what is said in the advisory.  BAD

calendar/gui directory: Have checked all usages of gtk_html_stream_printf: all
use constant hardcoded format strings.
Checking usage of fprintf: appear to be problems in saving views:
calendar/gui/e-day-view.c: e_day_view_on_save_as
calendar/gui/e-week-view.c: e_week_view_on_save_as
both contain an: fprintf (file, ical_string);

These fprintfs are not present in the RHEL4 version.
Comment 3 Dave Malcolm 2005-08-11 00:51:49 UTC 
I didn't see that Security had been unflagged, and that last comment got sent to
cluebot 

Sorry.  Have rechecked the Security Sensitive box.
Comment 4 Dave Malcolm 2005-08-11 01:05:43 UTC 
See above two comments
Comment 5 Dave Malcolm 2005-08-11 01:14:30 UTC 
Created attachment 117632 [details]
Proposed patch to 1.4.5 to fix format strings in calendar code
Comment 8 Red Hat Bugzilla 2005-08-29 18:29:56 UTC 
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHSA-2005-267.html