Bug 435759 - (CVE-2008-0072) CVE-2008-0072 Evolution format string flaw
CVE-2008-0072 Evolution format string flaw
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
impact=critical,source=vendorsec,repo...
: Security
Depends On: 435796 435797 435798 435799 435800 435801 435802 436080 436081 436082
Blocks:
  Show dependency treegraph
 
Reported: 2008-03-03 13:38 EST by Josh Bressers
Modified: 2010-02-24 00:23 EST (History)
5 users (show)

See Also:
Fixed In Version: 2.10.3-8.fc7
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-03-06 11:58:47 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Josh Bressers 2008-03-03 13:38:30 EST
Ulf Harnhammar of Secunia Research reported a format string flaw in the way
Evolution parses PGP encrypted messages.

It should be possible for a malicious mail message to abuse this flaw to execute
arbitrary code when a user open the mail message.

Acknowledgements:

Red Hat would like to thank Ulf Härnhammar of Secunia Research for finding
and reporting this issue.
Comment 4 Mark J. Cox (Product Security) 2008-03-04 04:58:59 EST
Format string flaws are usually detected by FORTIFY_SOURCE which will notice
that the %n is from a writable string and abort.  But this wasn't happening when
testing this flaw.

On RHEL5, the user supplied format string is passed to em_format_format_error()
in evolution which calls g_strdup_vprintf from glib2.  Unfortunately
g_strdup_vprintf in glib2 uses vasprintf, and vasprintf is a function that is
not fortified.  (I'll file a feature request about that and see if we can't get
glibc to fortify vasprintf/asprintf etc.)
Comment 7 Tomas Hoger 2008-03-05 04:39:02 EST
Public now on Secunia site, lifting embargo:

http://secunia.com/advisories/29057/
http://secunia.com/secunia_research/2008-8/
Comment 9 Fedora Update System 2008-03-05 12:39:13 EST
evolution-2.10.3-8.fc7 has been submitted as an update for Fedora 7
Comment 10 Fedora Update System 2008-03-05 12:45:29 EST
evolution-2.12.3-3.fc8 has been submitted as an update for Fedora 8
Comment 11 Fedora Update System 2008-03-06 11:37:51 EST
evolution-2.10.3-8.fc7 has been pushed to the Fedora 7 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 12 Fedora Update System 2008-03-06 11:38:11 EST
evolution-2.12.3-3.fc8 has been pushed to the Fedora 8 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.