Red Hat Bugzilla – Full Text Bug Listing
|Summary:||CVE-2008-1108 evolution: iCalendar buffer overflow via large timezone specification|
|Product:||[Other] Security Response||Reporter:||Tomas Hoger <thoger>|
|Component:||vulnerability||Assignee:||Red Hat Product Security <security-response-team>|
|Status:||CLOSED ERRATA||QA Contact:|
|Version:||unspecified||CC:||kreilly, mbarnes, mcrha, rcvalle|
|Target Milestone:||---||Keywords:||Reopened, Security|
|Fixed In Version:||2.22.2-2.fc9||Doc Type:||Bug Fix|
|Doc Text:||Story Points:||---|
|Last Closed:||2008-06-06 03:59:35 EDT||Type:||---|
|oVirt Team:||---||RHEL 7.3 requirements from Atomic Host:|
|Bug Depends On:||448719, 448720, 448721, 448722, 448723, 448724, 448725, 448726, 449922, 449923, 449924, 449925|
Description Tomas Hoger 2008-05-27 11:12:29 EDT
Alin Rad Pop of the Secunia Research discovered following issue affecting evolution's iCalendar handling code: A boundary error exists when parsing timezone strings contained within iCalendar attachments. This can be exploited to overflow a static buffer via an overly long timezone string. Successful exploitation allows execution of arbitrary code, but requires that the ITip Formatter plugin is disabled. Vulnerability Details: The vulnerability is present within the "write_label_piece()" function in calendar/gui/e-itip-control.c at line 713, when the extracted display name of the timezone is longer than the destination buffer. [calendar/gui/e-itip-control.c:713] strcat(buffer, display_name); Acknowledgements: Red Hat would like to thank Alin Rad Pop of Secunia Research for responsibly disclosing this issue.
Comment 3 Matthew Barnes 2008-05-27 14:13:54 EDT
Created attachment 306808 [details] Patch Here's the patch I proposed to upstream. It might be a bit more extensive than necessary to address this particular vulnerability, but I get paranoid when I see sprintf() being used anywhere. Upstream is reviewing the patch and should let me know tomorrow if it's acceptable. Like CVE-2008-1109, this also affects all supported Fedora releases.
Comment 11 Tomas Hoger 2008-05-29 08:19:19 EDT
Btw, there seems to be other instances of write_label_piece() function doing doing similar strcat stuff without size checks in calendar/gui/print.c and calendar/gui/dialogs/comp-editor-util.c . Can those implementations be fed with malicious data from mail? How can they be reached. I suspect we should fix those as well.
Comment 12 Tomas Hoger 2008-05-29 09:10:03 EDT
print.c: Unbound write in write_label_piece() is performed for stext and etext. Function is called from print_date_label() and only hard-coded strings (either in source code or in localization files) are passed as an arguments, and can not be controlled by a remote attacker. e_time_format_date_and_time() can possibly be called with negative buffer_size argument, but this would require either long stext (not controlled by an attacker) or possibly long string returned in previous e_time_format_date_and_time() call. That depends on user's locale definition, out of remote attacker control. comp-editor-util.c: Similar to print.c case. These should not have any security implications and can not be triggered by crafted .ics files. Matthew, please correct me if I'm wrong. Thanks to Milan Crha for useful hints with these!
Comment 13 Matthew Barnes 2008-05-29 10:30:26 EDT
Correct. I would imagine Evolution is chock full of cases like that. There's a lot of old and poorly written code there, especially in the calendar. I was planning to sweep the current code base looking for similar unchecked string buffer writes and will let you know if I find anything exploitable.
Comment 16 Tomas Hoger 2008-06-04 05:40:38 EDT
Public now, lifting embargo: http://secunia.com/advisories/30298 http://secunia.com/secunia_research/2008-22/advisory/
Comment 17 Tomas Hoger 2008-06-04 05:45:36 EDT
CVSSv2 scores are different for different evolution versions: - old evolution versions that do not have Itip Formatter plugin (e.g. as shipped in Red Hat Enterprise Linux 3 and 4) - the overflow is triggered when messages is viewed, preview pane is enabled by default, hence AC:L cvss2=7.5/AV:N/AC:L/Au:N/C:P/I:P/A:P - newer evolution versions that have Itip Formatter plugin which is enabled by default (e.g. as shipped in Red Hat Enterprise Linux 5 and Fedora, and evolution28 packages as shipped in Red Hat Enterprise Linux 4); issue can only be exploited if user has disabled Itip Formatter plugin, hence AC:M cvss2=6.8/AV:N/AC:M/Au:N/C:P/I:P/A:P
Comment 19 Fedora Update System 2008-06-04 07:12:17 EDT
evolution-2.10.3-10.fc7 has been submitted as an update for Fedora 7
Comment 20 Fedora Update System 2008-06-04 07:13:27 EDT
evolution-2.12.3-5.fc8 has been submitted as an update for Fedora 8
Comment 21 Fedora Update System 2008-06-04 07:14:58 EDT
evolution-2.22.2-2.fc9 has been submitted as an update for Fedora 9
Comment 22 Tomas Hoger 2008-06-04 07:38:16 EDT
Possible mitigations that can be used before updating to fixed packages: - old evolution versions (Red Hat Enterprise Linux 3 and 4) - No known mitigations, you have to install updated packages. - newer evolution versions (Red Hat Enterprise Linux 5 and Fedora, evolution28 packages in Red Hat Enterprise Linux 4) - Make sure Itip Formatter plugin is enabled (should be, as it is enabled by default). If uncertain, you can run evolution as 'evolution --component=calendar' to start evolution in Calendar view to avoid accidental loading of possibly malicious mail. You can check plugin settings from Calendar view.
Comment 23 Fedora Update System 2008-06-06 03:47:32 EDT
evolution-2.22.2-2.fc9 has been pushed to the Fedora 9 stable repository. If problems still persist, please make note of it in this bug report.
Comment 24 Fedora Update System 2008-06-06 03:49:10 EDT
evolution-2.12.3-5.fc8 has been pushed to the Fedora 8 stable repository. If problems still persist, please make note of it in this bug report.
Comment 25 Fedora Update System 2008-06-06 03:49:28 EDT
evolution-2.10.3-10.fc7 has been pushed to the Fedora 7 stable repository. If problems still persist, please make note of it in this bug report.
Comment 26 Red Hat Product Security 2008-06-06 03:59:35 EDT
This issue was addressed in: Red Hat Enterprise Linux: http://rhn.redhat.com/errata/RHSA-2008-0514.html http://rhn.redhat.com/errata/RHSA-2008-0516.html http://rhn.redhat.com/errata/RHSA-2008-0517.html http://rhn.redhat.com/errata/RHSA-2008-0515.html Fedora: https://admin.fedoraproject.org/updates/F7/FEDORA-2008-5018 https://admin.fedoraproject.org/updates/F8/FEDORA-2008-5016 https://admin.fedoraproject.org/updates/F9/FEDORA-2008-4990