Evolution-Data-Server in GNOME Evolution through 3.29.2 might allow attackers to trigger a stack-based buffer overflow in addressbook/backends/ldap/e-book-backend-ldap.c via a long query that is processed by the strcat function. Upstream Bug: https://bugzilla.gnome.org/show_bug.cgi?id=796174 Upstream Patch: https://gitlab.gnome.org/GNOME/evolution-data-server/commit/34bad6173
Created evolution-data-server tracking bugs for this issue: Affects: fedora-all [bug 1592626]
(In reply to Sam Fowler from comment #0) > Evolution-Data-Server in GNOME Evolution through 3.29.2 might allow > attackers to trigger a stack-based buffer overflow in > addressbook/backends/ldap/e-book-backend-ldap.c via a long query that is > processed by the strcat function. Well, the above is not true. I made the change in eds only to get rid of the strcat() calls there, but when you read the code carefully you'll realize it was perfectly fine. There could not happen any buffer overflow. Also, the buffer had been allocated on the heap, not on the stack. This "issue" doesn't deserve CVE, from my point of view.
(In reply to Milan Crha from comment #3) > (In reply to Sam Fowler from comment #0) > > Evolution-Data-Server in GNOME Evolution through 3.29.2 might allow > > attackers to trigger a stack-based buffer overflow in > > addressbook/backends/ldap/e-book-backend-ldap.c via a long query that is > > processed by the strcat function. > > Well, the above is not true. I made the change in eds only to get rid of the > strcat() calls there, but when you read the code carefully you'll realize it > was perfectly fine. There could not happen any buffer overflow. Also, the > buffer had been allocated on the heap, not on the stack. > > This "issue" doesn't deserve CVE, from my point of view. This bug was filed due to the CVE publication by MITRE and based on the information in the upstream bug report: https://nvd.nist.gov/vuln/detail/CVE-2018-12422 The CVE was not assigned by Red Hat, though it is our policy to file bugs for CVEs that affect our products. I would suggest filing a dispute against the CVE assignment via the MITRE cveform: https://cveform.mitre.org/
Thanks for the pointers. I sent them a Rejection request. Let's wait for their response.
I cherry-picked the changes into the stable branches (gnome-3-28) upstream, thus they will be part of the 3.28.4 release. I still consider it not so useful, but to avoid issues at the last minute I made it anyway.
I agree with mcrha that this does not seem like a real vulnerability, but more like a security hardening. The query seems correctly allocated with the right size and after a bit of playing with the function (thanks to mcrha help on this), I couldn't even send a very long string to this function that may cause an integer overflow when computing the buffer size.
The CVE has been disputed by the maintainer. We are not going to treat this as a security vulnerability because even if strcat is used, the length of the destination string is precomputed and it is large enough.