Bug 182416 - CVE-2006-0528 Evolution mail DoS
CVE-2006-0528 Evolution mail DoS
Status: CLOSED RAWHIDE
Product: Fedora
Classification: Fedora
Component: cairo (Show other bugs)
5
All Linux
medium Severity medium
: ---
: ---
Assigned To: Carl Worth
http://archives.neohapsis.com/archive...
source=cve,reported=20060202,impact=i...
:
: 181986 (view as bug list)
Depends On:
Blocks: FC5Blocker
  Show dependency treegraph
 
Reported: 2006-02-22 08:45 EST by Josh Bressers
Modified: 2007-11-30 17:11 EST (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2006-03-03 16:24:44 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)
mbox file which triggers this flaw (41.03 KB, text/plain)
2006-02-22 08:45 EST, Josh Bressers
no flags Details
Preliminary patch, useful to confirm the diagnosis. (1.17 KB, patch)
2006-03-02 14:51 EST, Carl Worth
no flags Details | Diff
Make _cairo_xlib_surface_show_glyphs break things up into chunks. (3.72 KB, patch)
2006-03-03 14:12 EST, Carl Worth
no flags Details | Diff

  None (edit)
Description Josh Bressers 2006-02-22 08:45:01 EST
The message in the "URL" field of this bug describes a way to DoS the evolution
we currently ship in FC5test3.  This issue does not affect FC4 (I did check). 
According to SecurityFocus, it should only affect evolution 2.3 and above (I've
done zero verification of this though).
http://www.securityfocus.com/bid/16408
Comment 1 Josh Bressers 2006-02-22 08:45:01 EST
Created attachment 125028 [details]
mbox file which triggers this flaw
Comment 2 Josh Bressers 2006-02-23 16:22:50 EST
Ray tells me this is a cairo bug:
https://bugs.freedesktop.org/show_bug.cgi?id=5528
Comment 3 Ray Strode [halfline] 2006-02-23 18:52:13 EST
I talked to Carl and he said he thinks it will be an easy fix.  I have a vague
idea what to do, but I'll defer to him.
Comment 4 Carl Worth 2006-03-02 14:51:13 EST
Created attachment 125562 [details]
Preliminary patch, useful to confirm the diagnosis.

Here's the simplest patch I could think of to cairo that should actually solve
the bug.

It's not yet a fully adequate solution, for two reasons, as noted in the
comments of the patch (and copied below).

But if someone were able to verify that the evolution bug goes away after this
patch is applied to cairo, then that would be a useful thing to know.

I should have a more complete patch ready soon.

-Carl

    /* XXX: This 20000 number was arbitrarily picked from the ballpark
     * of values that empirically appear to do the job. I'm working on
     * coming up with the real equation for deciding this cutoff. */

    /* XXX: Returning UNSUPPORTED in this case is not the kindest
     * thing to do. The results will still be correct, (the
     * UNSUPPORTED return will cause fallbacks to kick in), but there
     * will be a rather abrupt performance cliff for any application
     * that crosses this threshold. Better would be to still render
     * all the glyphs via XRender but just batch it up into
     * small-enough pieces. */
Comment 5 Carl Worth 2006-03-03 14:12:26 EST
Created attachment 125615 [details]
Make _cairo_xlib_surface_show_glyphs break things up into chunks.

Here's a better patch.

It resolves both problems of the previous patch, and therefore also avoids the
problem with the previous patch that Ray found which is that the fallbacks
could trigger an attempt to create a too-huge Pixmap and crash again.

Please let me know if this patch to cairo solves the problem with evolution.

-Carl
Comment 6 Ray Strode [halfline] 2006-03-03 16:24:44 EST
It looks like the fixed packages are queued up for tomorrow's rawhide, so closing...
Comment 7 Frank Arnold 2006-03-07 06:02:42 EST
*** Bug 181986 has been marked as a duplicate of this bug. ***

Note You need to log in before you can comment on or make changes to this bug.