Bug 219055 - CVE-2007-0010 GdbPixbufLoader fails to handle invalid input from Evolution correctly
Summary: CVE-2007-0010 GdbPixbufLoader fails to handle invalid input from Evolution co...
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: gtk2
Version: 5.0
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
: ---
Assignee: Matthias Clasen
QA Contact: David Lawrence
URL:
Whiteboard: impact=moderate,source=vendor-sec,rep...
: 218931 (view as bug list)
Depends On: 218755
Blocks: 216686
TreeView+ depends on / blocked
 
Reported: 2006-12-10 04:35 UTC by Matthias Clasen
Modified: 2007-11-30 22:07 UTC (History)
3 users (show)

Fixed In Version: 5.0.0
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2006-12-15 09:06:14 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)

Description Matthias Clasen 2006-12-10 04:35:41 UTC 
+++ This bug was initially created as a clone of Bug #218755 +++

Description of problem:


evolution crashes on the spam mail I'll attach as mbox; the crash may well turn
out to be a security issue in itself. But just crashing is serious since the
next time evo opens it immediately goes back to the same mail and crashes again,
so a non-expert user cannot recover from this.

I suspect RHEL5 is affected too

-- Additional comment from arjan.com on 2006-12-07 06:07 EST --
Created an attachment (id=143043)
mbox with the crashing mail


-- Additional comment from lkundrak on 2006-12-08 10:08 EST --
The file "navigable.gif" is incorrectly encoded. I think evolution should not
feed underlying gdk with the corrupted data, but I doubt an assertion failure
there is the right way to handle the faulty gif.

When you extract the file (with reformime or evolution) and either try to view
it with firefox or gqview or embed it in another email message and open in
evolution it is correctly reported as being broken.

Moreover there's some interesting stuff in the broken base64 data: for example
the IN-SB-8XX-PLATFORMS string encoded there. How could it happen to came there?
Maybe this message was meant to exploit some windows software or encoded by a
horribly broken software? I got no smarter after disassembling the 8bit parts of
the part.

-- Additional comment from lkundrak on 2006-12-08 10:18 EST --
Created an attachment (id=143153)
Backtrace from FC6

evolution-2.8.2.1-2.fc6
gtk2-2.10.4-6.fc6

-- Additional comment from mclasen on 2006-12-08 11:10 EST --
Looks like memory corruption to me. 
I don't see how that assert can trigger, unless something scribbles over the
pixbuf, since all pixbuf_new calls in the gif loader create pixbufs with alpha.

-- Additional comment from mclasen on 2006-12-09 23:12 EST --
I found that gtkhtml ignores the return value of gdk_pixbuf_loader_write() and
just continues throwing invalid data at the loader.
Admittedly, the GdkPixbufLoader documentation makes it sound as if that was ok, 
since it says that the loader is closed if write() returns FALSE. This is not 
actually the case right now. I'll attach a patch which changes gdk-pixbuf to 
behave as documented. This fixes the bug.



-- Additional comment from mclasen on 2006-12-09 23:12 EST --
Created an attachment (id=143235)
close-loader.patch
Comment 1 Matthias Clasen 2006-12-11 03:47:08 UTC 
*** Bug 218931 has been marked as a duplicate of this bug. ***
Comment 2 Matthias Clasen 2006-12-11 18:01:02 UTC 
Fix is in gtk2-2.10.4-10.el5
Comment 5 Xiaohong Wang 2006-12-15 07:34:43 UTC 
Pls ignore comment #4

Tested in gtk2-2.10.4-8.el5, imported mbox with the crashing mail to evolution,
try to open it, crash happened.

Verified in gtk2-2.10.4-10.el5, no crash, so will resolve it when the
package is in the tree.
Comment 6 Xiaohong Wang 2006-12-15 09:06:14 UTC 
Verified gtk2-2.10.4-10.el5 has been included in RHEL5-Client-20061213.nightly,
so  resolve this bug.
Note You need to log in before you can comment on or make changes to this bug.