As seen here: http://lwn.net/Articles/174015/ About 7 weeks ago an automated mailing list spewed a large but valid email containing a lot of URLS and other formatting. When this email is fed into evolution the behaviour it causes leads evolution to expand dramatically in size and eat vast amounts of CPU time. If you've got a lot of patience and memory it is eventually rendered correctly (many minutes and many gigs) The attack in question can be triggered with a large but valid plain text email containing no unusual features. It is possible to perform the attack with a somewhat smaller message than the one given but the one provided should suffice for analysis and testing. Worse, and the reason this becomes more than irritating is that evolution tries to be smart when it is killed or dies. On restarting it will go to great trouble to attempt to restart in the same position it died or was shut down - which triggers the DoS again each time evolution is opened. This bug was reported to vendor-sec January 18th, and acknowledged January 19th as CVE-2006-0040. A request for any follow up details was posted end of February. No vendor has chosen to provide any more information which I find disappointing. The email that triggered the original accidental discovery is available at http://zeniv.linux.org.uk/~alan/destroy-evolution.mbox As the problem appears to come from gtkhtml it is likely that other gtkhtml users may be similarly afflicted. Recommendations: Block large text emails with many URLS using a filter rule Ask your vendor awkward questions or switch mailer
Have we looked at this at all?
No response from upstream either. I guess evolution is no longer maintained. Can we please drop it for RHEL5 and ship something else ?
For what it's worth, I filed a bug upstream which has gotten little attention: http://bugzilla.gnome.org/show_bug.cgi?id=337439
Should this be assigned to mbarnes ?
It seems there's finally some movement on this upstream, though it's more of a workaround in Evolution than a direct fix for GtkHtml. See http://bugzilla.gnome.org/show_bug.cgi?id=33743 I'll get the patch into Rawhide for testing.
Sorry, the link was supposed to be: http://bugzilla.gnome.org/show_bug.cgi?id=337439#c9
Progress and a beginning but not a useful one. The perfect variant of this attack can screw you totally in a good deal under 4MB of input. Alan
Moving this to F9Target.
Final Freeze is in effect now. Security fixes almost certainly warrant a freeze break, so in case you build a fix for this, mail release engineering as described here: [2] [1] https://www.redhat.com/archives/fedora-devel-announce/2008-April/msg00007.html [2] http://fedoraproject.org/wiki/ReleaseEngineering/FinalFreezePolicy Thanks!
I think at this point the solution is to drop GtkHTML entirely and move Evolution over to WebKit/GTK+. I've already started working on this and am hoping it will happen this year, at least for /viewing/ emails. Editing is another story.
Common Vulnerabilities and Exposures assigned an identifier CVE-2006-0040 to the following vulnerability: GNOME Evolution 2.4.2.1 and earlier allows remote attackers to cause a denial of service (CPU and memory consumption) via a text e-mail with a large number of URLs, possibly due to unknown problems in gtkhtml. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0040 http://www.securityfocus.com/archive/1/archive/1/426452/100/0/threaded http://www.securityfocus.com/bid/16899 http://www.frsirt.com/english/advisories/2006/0801 http://secunia.com/advisories/19094 http://xforce.iss.net/xforce/xfdb/25050
I imagine that somewhere in the last 5 years, between Fedora 9 and current Fedora, this has been fixed. As it did not affect RHEL5, and will not be fixed in RHEL4, I'm closing this bug.