Ulf Harnhammar of Secunia Research reported a format string flaw in the way Evolution parses PGP encrypted messages. It should be possible for a malicious mail message to abuse this flaw to execute arbitrary code when a user open the mail message. Acknowledgements: Red Hat would like to thank Ulf Härnhammar of Secunia Research for finding and reporting this issue.
Format string flaws are usually detected by FORTIFY_SOURCE which will notice that the %n is from a writable string and abort. But this wasn't happening when testing this flaw. On RHEL5, the user supplied format string is passed to em_format_format_error() in evolution which calls g_strdup_vprintf from glib2. Unfortunately g_strdup_vprintf in glib2 uses vasprintf, and vasprintf is a function that is not fortified. (I'll file a feature request about that and see if we can't get glibc to fortify vasprintf/asprintf etc.)
Public now on Secunia site, lifting embargo: http://secunia.com/advisories/29057/ http://secunia.com/secunia_research/2008-8/
evolution-2.10.3-8.fc7 has been submitted as an update for Fedora 7
evolution-2.12.3-3.fc8 has been submitted as an update for Fedora 8
evolution-2.10.3-8.fc7 has been pushed to the Fedora 7 stable repository. If problems still persist, please make note of it in this bug report.
evolution-2.12.3-3.fc8 has been pushed to the Fedora 8 stable repository. If problems still persist, please make note of it in this bug report.
This issue was addressed in: Red Hat Enterprise Linux: http://rhn.redhat.com/errata/RHSA-2008-0177.html http://rhn.redhat.com/errata/RHSA-2008-0178.html Fedora: https://admin.fedoraproject.org/updates/F7/FEDORA-2008-2290 https://admin.fedoraproject.org/updates/F8/FEDORA-2008-2292