Bug 448540 (CVE-2008-1108)

Summary: CVE-2008-1108 evolution: iCalendar buffer overflow via large timezone specification
Product: [Other] Security Response Reporter: Tomas Hoger <thoger>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: kreilly, mbarnes, mcrha, rcvalle
Target Milestone: ---Keywords: Reopened, Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard: source=vendor-sec,reported=20080527,public=20080604,impact=critical,cvss2=7.5/AV:N/AC:L/Au:N/C:P/I:P/A:P,cwe=CWE-119
Fixed In Version: 2.22.2-2.fc9 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2008-06-06 03:59:35 EDT Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
Bug Depends On: 448719, 448720, 448721, 448722, 448723, 448724, 448725, 448726, 449922, 449923, 449924, 449925    
Bug Blocks:    

Description Tomas Hoger 2008-05-27 11:12:29 EDT
Alin Rad Pop of the Secunia Research discovered following issue affecting
evolution's iCalendar handling code:

A boundary error exists when parsing timezone strings contained
within iCalendar attachments. This can be exploited to overflow a static
buffer via an overly long timezone string.

Successful exploitation allows execution of arbitrary code, but requires
that the ITip Formatter plugin is disabled.

Vulnerability Details:
The vulnerability is present within the "write_label_piece()"
function in calendar/gui/e-itip-control.c at line 713, when the
extracted display name of the timezone is longer than the destination

		strcat(buffer, display_name);


Red Hat would like to thank Alin Rad Pop of Secunia Research for responsibly disclosing this issue.
Comment 3 Matthew Barnes 2008-05-27 14:13:54 EDT
Created attachment 306808 [details]

Here's the patch I proposed to upstream.  It might be a bit more extensive than
necessary to address this particular vulnerability, but I get paranoid when I
see sprintf() being used anywhere.  Upstream is reviewing the patch and should
let me know tomorrow if it's acceptable.

Like CVE-2008-1109, this also affects all supported Fedora releases.
Comment 5 Matthew Barnes 2008-05-28 07:37:31 EDT
Upstream approved the patch in comment #3.
Comment 11 Tomas Hoger 2008-05-29 08:19:19 EDT
Btw, there seems to be other instances of write_label_piece() function doing
doing similar strcat stuff without size checks in calendar/gui/print.c and
calendar/gui/dialogs/comp-editor-util.c .  Can those implementations be fed with
malicious data from mail?  How can they be reached.  I suspect we should fix
those as well.
Comment 12 Tomas Hoger 2008-05-29 09:10:03 EDT

Unbound write in write_label_piece() is performed for stext and etext.  Function
is called from print_date_label() and only hard-coded strings (either in source
code or in localization files) are passed as an arguments, and can not be
controlled by a remote attacker.

e_time_format_date_and_time() can possibly be called with negative buffer_size
argument, but this would require either long stext (not controlled by an
attacker) or possibly long string returned in previous
e_time_format_date_and_time() call.  That depends on user's locale definition,
out of remote attacker control.


Similar to print.c case.

These should not have any security implications and can not be triggered by
crafted .ics files.

Matthew, please correct me if I'm wrong.  Thanks to Milan Crha for useful hints
with these!
Comment 13 Matthew Barnes 2008-05-29 10:30:26 EDT
Correct.  I would imagine Evolution is chock full of cases like that.  There's a
lot of old and poorly written code there, especially in the calendar.

I was planning to sweep the current code base looking for similar unchecked
string buffer writes and will let you know if I find anything exploitable.
Comment 16 Tomas Hoger 2008-06-04 05:40:38 EDT
Public now, lifting embargo:

Comment 17 Tomas Hoger 2008-06-04 05:45:36 EDT
CVSSv2 scores are different for different evolution versions:

- old evolution versions that do not have Itip Formatter plugin (e.g. as shipped
in Red Hat Enterprise Linux 3 and 4) - the overflow is triggered when messages
is viewed, preview pane is enabled by default, hence AC:L


- newer evolution versions that have Itip Formatter plugin which is enabled by
default (e.g. as shipped in Red Hat Enterprise Linux 5 and Fedora, and
evolution28 packages as shipped in Red Hat Enterprise Linux 4); issue can only
be exploited if user has disabled Itip Formatter plugin, hence AC:M

Comment 19 Fedora Update System 2008-06-04 07:12:17 EDT
evolution-2.10.3-10.fc7 has been submitted as an update for Fedora 7
Comment 20 Fedora Update System 2008-06-04 07:13:27 EDT
evolution-2.12.3-5.fc8 has been submitted as an update for Fedora 8
Comment 21 Fedora Update System 2008-06-04 07:14:58 EDT
evolution-2.22.2-2.fc9 has been submitted as an update for Fedora 9
Comment 22 Tomas Hoger 2008-06-04 07:38:16 EDT
Possible mitigations that can be used before updating to fixed packages:

- old evolution versions (Red Hat Enterprise Linux 3 and 4) - No known
mitigations, you have to install updated packages.

- newer evolution versions (Red Hat Enterprise Linux 5 and Fedora, evolution28
packages in Red Hat Enterprise Linux 4) - Make sure Itip Formatter plugin is
enabled (should be, as it is enabled by default).  If uncertain, you can run
evolution as 'evolution --component=calendar' to start evolution in Calendar
view to avoid accidental loading of possibly malicious mail.  You can check
plugin settings from Calendar view.
Comment 23 Fedora Update System 2008-06-06 03:47:32 EDT
evolution-2.22.2-2.fc9 has been pushed to the Fedora 9 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 24 Fedora Update System 2008-06-06 03:49:10 EDT
evolution-2.12.3-5.fc8 has been pushed to the Fedora 8 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 25 Fedora Update System 2008-06-06 03:49:28 EDT
evolution-2.10.3-10.fc7 has been pushed to the Fedora 7 stable repository.  If problems still persist, please make note of it in this bug report.