Bug 182416

Summary: CVE-2006-0528 Evolution mail DoS
Product: [Fedora] Fedora Reporter: Josh Bressers <bressers>
Component: cairoAssignee: Carl Worth <cworth>
Status: CLOSED RAWHIDE QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: 5CC: juergen.bullinger, rstrode
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
URL: http://archives.neohapsis.com/archives/fulldisclosure/2006-01/0925.html
Whiteboard: source=cve,reported=20060202,impact=important,public=20060128
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2006-03-03 16:24:44 EST Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
Bug Depends On:    
Bug Blocks: 150222    
Description Flags
mbox file which triggers this flaw
Preliminary patch, useful to confirm the diagnosis.
Make _cairo_xlib_surface_show_glyphs break things up into chunks. none

Description Josh Bressers 2006-02-22 08:45:01 EST
The message in the "URL" field of this bug describes a way to DoS the evolution
we currently ship in FC5test3.  This issue does not affect FC4 (I did check). 
According to SecurityFocus, it should only affect evolution 2.3 and above (I've
done zero verification of this though).
Comment 1 Josh Bressers 2006-02-22 08:45:01 EST
Created attachment 125028 [details]
mbox file which triggers this flaw
Comment 2 Josh Bressers 2006-02-23 16:22:50 EST
Ray tells me this is a cairo bug:
Comment 3 Ray Strode [halfline] 2006-02-23 18:52:13 EST
I talked to Carl and he said he thinks it will be an easy fix.  I have a vague
idea what to do, but I'll defer to him.
Comment 4 Carl Worth 2006-03-02 14:51:13 EST
Created attachment 125562 [details]
Preliminary patch, useful to confirm the diagnosis.

Here's the simplest patch I could think of to cairo that should actually solve
the bug.

It's not yet a fully adequate solution, for two reasons, as noted in the
comments of the patch (and copied below).

But if someone were able to verify that the evolution bug goes away after this
patch is applied to cairo, then that would be a useful thing to know.

I should have a more complete patch ready soon.


    /* XXX: This 20000 number was arbitrarily picked from the ballpark
     * of values that empirically appear to do the job. I'm working on
     * coming up with the real equation for deciding this cutoff. */

    /* XXX: Returning UNSUPPORTED in this case is not the kindest
     * thing to do. The results will still be correct, (the
     * UNSUPPORTED return will cause fallbacks to kick in), but there
     * will be a rather abrupt performance cliff for any application
     * that crosses this threshold. Better would be to still render
     * all the glyphs via XRender but just batch it up into
     * small-enough pieces. */
Comment 5 Carl Worth 2006-03-03 14:12:26 EST
Created attachment 125615 [details]
Make _cairo_xlib_surface_show_glyphs break things up into chunks.

Here's a better patch.

It resolves both problems of the previous patch, and therefore also avoids the
problem with the previous patch that Ray found which is that the fallbacks
could trigger an attempt to create a too-huge Pixmap and crash again.

Please let me know if this patch to cairo solves the problem with evolution.

Comment 6 Ray Strode [halfline] 2006-03-03 16:24:44 EST
It looks like the fixed packages are queued up for tomorrow's rawhide, so closing...
Comment 7 Frank Arnold 2006-03-07 06:02:42 EST
*** Bug 181986 has been marked as a duplicate of this bug. ***