Bug 448541 (CVE-2008-1109)
| Summary: | CVE-2008-1109 evolution: iCalendar buffer overflow via large description parameter | ||||||
|---|---|---|---|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Tomas Hoger <thoger> | ||||
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> | ||||
| Status: | CLOSED ERRATA | QA Contact: | |||||
| Severity: | high | Docs Contact: | |||||
| Priority: | high | ||||||
| Version: | unspecified | CC: | kreilly, mbarnes, mcepl, mcrha | ||||
| Target Milestone: | --- | Keywords: | Security | ||||
| Target Release: | --- | ||||||
| Hardware: | All | ||||||
| OS: | Linux | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | Doc Type: | Bug Fix | |||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2008-06-06 08:00:06 UTC | Type: | --- | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Bug Depends On: | 448719, 448720, 448721, 448722, 449922, 449923, 449924, 449925 | ||||||
| Bug Blocks: | |||||||
| Attachments: |
|
||||||
Created attachment 306797 [details]
Patch
Damn, that's about the most poorly written source code I've seen all week.
Here's a patch for it.
Upstream approved the patch in comment #3. Public now, lifting embargo: http://secunia.com/advisories/30298 http://secunia.com/secunia_research/2008-23/advisory/ evolution-2.10.3-10.fc7 has been submitted as an update for Fedora 7 evolution-2.12.3-5.fc8 has been submitted as an update for Fedora 8 evolution-2.22.2-2.fc9 has been submitted as an update for Fedora 9 Possible mitigations that can be used to reduce risk before updating to fixed packages: Do not reply to meeting requests from the Calendar view. Do not accept untrusted meeting requests to you calendar. evolution-2.22.2-2.fc9 has been pushed to the Fedora 9 stable repository. If problems still persist, please make note of it in this bug report. evolution-2.12.3-5.fc8 has been pushed to the Fedora 8 stable repository. If problems still persist, please make note of it in this bug report. evolution-2.10.3-10.fc7 has been pushed to the Fedora 7 stable repository. If problems still persist, please make note of it in this bug report. This issue was addressed in: Red Hat Enterprise Linux: http://rhn.redhat.com/errata/RHSA-2008-0514.html http://rhn.redhat.com/errata/RHSA-2008-0515.html Fedora: https://admin.fedoraproject.org/updates/F7/FEDORA-2008-5018 https://admin.fedoraproject.org/updates/F8/FEDORA-2008-5016 https://admin.fedoraproject.org/updates/F9/FEDORA-2008-4990 |
Alin Rad Pop of the Secunia Research discovered following issue affecting evolution's iCalendar handling code: A boundary error exists when replying to an iCalendar request while in calendar view. This can be exploited to cause a heap-based buffer overflow via an overly long "DESCRIPTION" property string included in an iCalendar attachment. Successful exploitation allows execution of arbitrary code, but requires that the user accepts the iCalendar request and replies to it from the "Calendars" window. Vulnerability Details: The vulnerability is present within the "html_new_lines_for()" function in calendar/gui/itip-utils.c from line 190 on. [calendar/gui/itip-utils.c:179] char *html_string = (char *) malloc (sizeof (char)* (3500)); [ ... ] strcpy(html_string, (const char*) string); Acknowledgements: Red Hat would like to thank Alin Rad Pop of Secunia Research for responsibly disclosing this issue.