Bug 182416 - CVE-2006-0528 Evolution mail DoS
Summary: CVE-2006-0528 Evolution mail DoS
Alias: None
Product: Fedora
Classification: Fedora
Component: cairo
Version: 5
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Carl Worth
QA Contact:
URL: http://archives.neohapsis.com/archive...
Whiteboard: source=cve,reported=20060202,impact=i...
: 181986 (view as bug list)
Depends On:
Blocks: FC5Blocker
TreeView+ depends on / blocked
Reported: 2006-02-22 13:45 UTC by Josh Bressers
Modified: 2007-11-30 22:11 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2006-03-03 21:24:44 UTC
Type: ---

Attachments (Terms of Use)
mbox file which triggers this flaw (41.03 KB, text/plain)
2006-02-22 13:45 UTC, Josh Bressers
no flags Details
Preliminary patch, useful to confirm the diagnosis. (1.17 KB, patch)
2006-03-02 19:51 UTC, Carl Worth
no flags Details | Diff
Make _cairo_xlib_surface_show_glyphs break things up into chunks. (3.72 KB, patch)
2006-03-03 19:12 UTC, Carl Worth
no flags Details | Diff

Description Josh Bressers 2006-02-22 13:45:01 UTC
The message in the "URL" field of this bug describes a way to DoS the evolution
we currently ship in FC5test3.  This issue does not affect FC4 (I did check). 
According to SecurityFocus, it should only affect evolution 2.3 and above (I've
done zero verification of this though).

Comment 1 Josh Bressers 2006-02-22 13:45:01 UTC
Created attachment 125028 [details]
mbox file which triggers this flaw

Comment 2 Josh Bressers 2006-02-23 21:22:50 UTC
Ray tells me this is a cairo bug:

Comment 3 Ray Strode [halfline] 2006-02-23 23:52:13 UTC
I talked to Carl and he said he thinks it will be an easy fix.  I have a vague
idea what to do, but I'll defer to him.

Comment 4 Carl Worth 2006-03-02 19:51:13 UTC
Created attachment 125562 [details]
Preliminary patch, useful to confirm the diagnosis.

Here's the simplest patch I could think of to cairo that should actually solve
the bug.

It's not yet a fully adequate solution, for two reasons, as noted in the
comments of the patch (and copied below).

But if someone were able to verify that the evolution bug goes away after this
patch is applied to cairo, then that would be a useful thing to know.

I should have a more complete patch ready soon.


    /* XXX: This 20000 number was arbitrarily picked from the ballpark
     * of values that empirically appear to do the job. I'm working on
     * coming up with the real equation for deciding this cutoff. */

    /* XXX: Returning UNSUPPORTED in this case is not the kindest
     * thing to do. The results will still be correct, (the
     * UNSUPPORTED return will cause fallbacks to kick in), but there
     * will be a rather abrupt performance cliff for any application
     * that crosses this threshold. Better would be to still render
     * all the glyphs via XRender but just batch it up into
     * small-enough pieces. */

Comment 5 Carl Worth 2006-03-03 19:12:26 UTC
Created attachment 125615 [details]
Make _cairo_xlib_surface_show_glyphs break things up into chunks.

Here's a better patch.

It resolves both problems of the previous patch, and therefore also avoids the
problem with the previous patch that Ray found which is that the fallbacks
could trigger an attempt to create a too-huge Pixmap and crash again.

Please let me know if this patch to cairo solves the problem with evolution.


Comment 6 Ray Strode [halfline] 2006-03-03 21:24:44 UTC
It looks like the fixed packages are queued up for tomorrow's rawhide, so closing...

Comment 7 Frank Arnold 2006-03-07 11:02:42 UTC
*** Bug 181986 has been marked as a duplicate of this bug. ***

Note You need to log in before you can comment on or make changes to this bug.