Bug 244277 - (CVE-2007-3257) CVE-2007-3257 evolution malicious server arbitrary code execution
CVE-2007-3257 evolution malicious server arbitrary code execution
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
high Severity high
: ---
: ---
Assigned To: Red Hat Product Security
http://bugzilla.gnome.org/show_bug.cg...
impact=important,source=vendorsec,pub...
: Security
Depends On: 244283 244285 244287 244289 244290 244291 244292 244293 244295
Blocks:
  Show dependency treegraph
 
Reported: 2007-06-14 15:51 EDT by Josh Bressers
Modified: 2008-03-10 01:47 EDT (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-03-10 01:47:34 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
GNOME Desktop 447414 None None None Never

  None (edit)
Description Josh Bressers 2007-06-14 15:51:01 EDT
A bug was reported to the upstream BTS detailing a flaw in the way evolution
accepts IMAP server data.  To quote the upstream bug:

    The "SEQUENCE" value in the GData of the IMAP code (camel-imap-folder.c)
    is converted from a string using strtol. This allows for negative values.

    The imap_rescan uses this value as an int. It checks for !seq and
    seq>summary.length. It doesn't check for seq < 0. Although seq is used as
    the index of an array.

    This means that a negative index number can be fed to the array lookup by
    altering the output of an IMAP server.

    I'm marking this as a blocker (very very serious) security bug as this is
    remotely exploitable (I can put shell code in the UID field of the IMAP
    code, and make it execute on the victim's computer, as at the seq'd field
    of the index a g_strdup of the UID is written to memory. By carefully
    calculating the negative value and overwriting the instruction pointer
    near the array's start, I can let it point to that memory and get it to
    execute).

This flaw is only exploitable via a man in the middle, or a malicious IMAP server.
Comment 4 Matthew Barnes 2008-03-10 01:47:34 EDT
I assume this has been released by now.  Closing as ERRATA.

Note You need to log in before you can comment on or make changes to this bug.