This service will be undergoing maintenance at 00:00 UTC, 2016-08-01. It is expected to last about 1 hours
Bug 183680 - (CVE-2006-0040) CVE-2006-0040 DoS from large email
CVE-2006-0040 DoS from large email
Status: CLOSED CURRENTRELEASE
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
public=20060301,reported=20060118,sou...
: Security
Depends On:
Blocks: F9Target
  Show dependency treegraph
 
Reported: 2006-03-02 14:32 EST by Dave Malcolm
Modified: 2015-02-17 10:08 EST (History)
6 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2015-02-17 10:08:36 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
GNOME Desktop 337439 None None None Never

  None (edit)
Description Dave Malcolm 2006-03-02 14:32:03 EST
As seen here: http://lwn.net/Articles/174015/

About 7 weeks ago an automated mailing list spewed a large but valid email
containing a lot of URLS and other formatting. When this email is fed into
evolution the behaviour it causes leads evolution to expand dramatically in 
size and eat vast amounts of CPU time. If you've got a lot of patience and
memory it is eventually rendered correctly (many minutes and many gigs)

The attack in question can be triggered with a large but valid plain text
email containing no unusual features. It is possible to perform the attack with
a somewhat smaller message than the one given but the one provided should
suffice for analysis and testing.

Worse, and the reason this becomes more than irritating is that evolution
tries to be smart when it is killed or dies. On restarting it will go to
great trouble to attempt to restart in the same position it died or was shut
down - which triggers the DoS again each time evolution is opened.

This bug was reported to vendor-sec January 18th, and acknowledged January
19th as CVE-2006-0040. A request for any follow up details was posted end 
of February. No vendor has chosen to provide any more information which I 
find disappointing.

The email that triggered the original accidental discovery is available at

	http://zeniv.linux.org.uk/~alan/destroy-evolution.mbox

As the problem appears to come from gtkhtml it is likely that other gtkhtml
users may be similarly afflicted.

Recommendations:
	Block large text emails with many URLS using a filter rule
	Ask your vendor awkward questions
	or switch mailer
Comment 1 Josh Bressers 2006-03-23 15:04:13 EST
Have we looked at this at all?
Comment 2 Alan Cox 2006-03-23 19:26:35 EST
No response from upstream either. I guess evolution is no longer maintained.

Can we please drop it for RHEL5 and ship something else ?
Comment 3 Josh Bressers 2006-05-12 15:31:57 EDT
For what it's worth, I filed a bug upstream which has gotten little attention:
http://bugzilla.gnome.org/show_bug.cgi?id=337439
Comment 4 Matthias Clasen 2006-07-30 12:49:05 EDT
Should this be assigned to mbarnes ?
Comment 6 Matthew Barnes 2006-11-27 15:12:08 EST
It seems there's finally some movement on this upstream, though it's more of a
workaround in Evolution than a direct fix for GtkHtml.

See http://bugzilla.gnome.org/show_bug.cgi?id=33743

I'll get the patch into Rawhide for testing.
Comment 7 Matthew Barnes 2006-11-27 15:13:26 EST
Sorry, the link was supposed to be:
http://bugzilla.gnome.org/show_bug.cgi?id=337439#c9
Comment 8 Alan Cox 2006-11-27 15:27:20 EST
Progress and a beginning but not a useful one. The perfect variant of this
attack can screw you totally in a good deal under 4MB of input.

Alan
Comment 11 Matthew Barnes 2007-10-04 12:23:39 EDT
Moving this to F9Target.
Comment 12 Lubomir Kundrak 2008-04-08 16:00:11 EDT
Final Freeze is in effect now. Security fixes almost certainly warrant a freeze
break, so in case you build a fix for this, mail release engineering as
described here: [2]

[1] https://www.redhat.com/archives/fedora-devel-announce/2008-April/msg00007.html
[2] http://fedoraproject.org/wiki/ReleaseEngineering/FinalFreezePolicy

Thanks!
Comment 13 Matthew Barnes 2008-04-08 18:12:00 EDT
I think at this point the solution is to drop GtkHTML entirely and move
Evolution over to WebKit/GTK+.  I've already started working on this and am
hoping it will happen this year, at least for /viewing/ emails.  Editing is
another story.
Comment 14 Jan Lieskovsky 2009-02-16 08:33:28 EST
Common Vulnerabilities and Exposures assigned an identifier CVE-2006-0040 to
the following vulnerability:

GNOME Evolution 2.4.2.1 and earlier allows remote attackers to cause a denial of service (CPU and memory consumption) via a text e-mail with a large number of URLs, possibly due to unknown problems in gtkhtml. 

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0040
http://www.securityfocus.com/archive/1/archive/1/426452/100/0/threaded
http://www.securityfocus.com/bid/16899
http://www.frsirt.com/english/advisories/2006/0801
http://secunia.com/advisories/19094
http://xforce.iss.net/xforce/xfdb/25050
Comment 21 Vincent Danen 2015-02-17 10:08:36 EST
I imagine that somewhere in the last 5 years, between Fedora 9 and current Fedora, this has been fixed.  As it did not affect RHEL5, and will not be fixed in RHEL4, I'm closing this bug.

Note You need to log in before you can comment on or make changes to this bug.