Bug 448540 (CVE-2008-1108) - CVE-2008-1108 evolution: iCalendar buffer overflow via large timezone specification
Summary: CVE-2008-1108 evolution: iCalendar buffer overflow via large timezone specifi...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2008-1108
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 448719 448720 448721 448722 448723 448724 448725 448726 449922 449923 449924 449925
Blocks:
TreeView+ depends on / blocked
 
Reported: 2008-05-27 15:12 UTC by Tomas Hoger
Modified: 2019-09-29 12:24 UTC (History)
4 users (show)

Fixed In Version: 2.22.2-2.fc9
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2008-06-06 07:59:35 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2008:0514 normal SHIPPED_LIVE Important: evolution security update 2008-06-04 10:46:22 UTC
Red Hat Product Errata RHSA-2008:0515 normal SHIPPED_LIVE Important: evolution28 security update 2008-06-04 12:57:45 UTC
Red Hat Product Errata RHSA-2008:0516 normal SHIPPED_LIVE Critical: evolution security update 2008-06-04 11:58:29 UTC
Red Hat Product Errata RHSA-2008:0517 normal SHIPPED_LIVE Critical: evolution security update 2008-06-04 11:04:57 UTC

Description Tomas Hoger 2008-05-27 15:12:29 UTC
Alin Rad Pop of the Secunia Research discovered following issue affecting
evolution's iCalendar handling code:

A boundary error exists when parsing timezone strings contained
within iCalendar attachments. This can be exploited to overflow a static
buffer via an overly long timezone string.

Successful exploitation allows execution of arbitrary code, but requires
that the ITip Formatter plugin is disabled.

Vulnerability Details:
The vulnerability is present within the "write_label_piece()"
function in calendar/gui/e-itip-control.c at line 713, when the
extracted display name of the timezone is longer than the destination
buffer.

[calendar/gui/e-itip-control.c:713]
		strcat(buffer, display_name);

Acknowledgements:

Red Hat would like to thank Alin Rad Pop of Secunia Research for responsibly disclosing this issue.

Comment 3 Matthew Barnes 2008-05-27 18:13:54 UTC
Created attachment 306808 [details]
Patch

Here's the patch I proposed to upstream.  It might be a bit more extensive than
necessary to address this particular vulnerability, but I get paranoid when I
see sprintf() being used anywhere.  Upstream is reviewing the patch and should
let me know tomorrow if it's acceptable.

Like CVE-2008-1109, this also affects all supported Fedora releases.

Comment 5 Matthew Barnes 2008-05-28 11:37:31 UTC
Upstream approved the patch in comment #3.

Comment 11 Tomas Hoger 2008-05-29 12:19:19 UTC
Btw, there seems to be other instances of write_label_piece() function doing
doing similar strcat stuff without size checks in calendar/gui/print.c and
calendar/gui/dialogs/comp-editor-util.c .  Can those implementations be fed with
malicious data from mail?  How can they be reached.  I suspect we should fix
those as well.

Comment 12 Tomas Hoger 2008-05-29 13:10:03 UTC
print.c:

Unbound write in write_label_piece() is performed for stext and etext.  Function
is called from print_date_label() and only hard-coded strings (either in source
code or in localization files) are passed as an arguments, and can not be
controlled by a remote attacker.

e_time_format_date_and_time() can possibly be called with negative buffer_size
argument, but this would require either long stext (not controlled by an
attacker) or possibly long string returned in previous
e_time_format_date_and_time() call.  That depends on user's locale definition,
out of remote attacker control.

comp-editor-util.c:

Similar to print.c case.

These should not have any security implications and can not be triggered by
crafted .ics files.

Matthew, please correct me if I'm wrong.  Thanks to Milan Crha for useful hints
with these!


Comment 13 Matthew Barnes 2008-05-29 14:30:26 UTC
Correct.  I would imagine Evolution is chock full of cases like that.  There's a
lot of old and poorly written code there, especially in the calendar.

I was planning to sweep the current code base looking for similar unchecked
string buffer writes and will let you know if I find anything exploitable.

Comment 16 Tomas Hoger 2008-06-04 09:40:38 UTC
Public now, lifting embargo:

  http://secunia.com/advisories/30298
  http://secunia.com/secunia_research/2008-22/advisory/

Comment 17 Tomas Hoger 2008-06-04 09:45:36 UTC
CVSSv2 scores are different for different evolution versions:

- old evolution versions that do not have Itip Formatter plugin (e.g. as shipped
in Red Hat Enterprise Linux 3 and 4) - the overflow is triggered when messages
is viewed, preview pane is enabled by default, hence AC:L

  cvss2=7.5/AV:N/AC:L/Au:N/C:P/I:P/A:P

- newer evolution versions that have Itip Formatter plugin which is enabled by
default (e.g. as shipped in Red Hat Enterprise Linux 5 and Fedora, and
evolution28 packages as shipped in Red Hat Enterprise Linux 4); issue can only
be exploited if user has disabled Itip Formatter plugin, hence AC:M

  cvss2=6.8/AV:N/AC:M/Au:N/C:P/I:P/A:P


Comment 19 Fedora Update System 2008-06-04 11:12:17 UTC
evolution-2.10.3-10.fc7 has been submitted as an update for Fedora 7

Comment 20 Fedora Update System 2008-06-04 11:13:27 UTC
evolution-2.12.3-5.fc8 has been submitted as an update for Fedora 8

Comment 21 Fedora Update System 2008-06-04 11:14:58 UTC
evolution-2.22.2-2.fc9 has been submitted as an update for Fedora 9

Comment 22 Tomas Hoger 2008-06-04 11:38:16 UTC
Possible mitigations that can be used before updating to fixed packages:

- old evolution versions (Red Hat Enterprise Linux 3 and 4) - No known
mitigations, you have to install updated packages.

- newer evolution versions (Red Hat Enterprise Linux 5 and Fedora, evolution28
packages in Red Hat Enterprise Linux 4) - Make sure Itip Formatter plugin is
enabled (should be, as it is enabled by default).  If uncertain, you can run
evolution as 'evolution --component=calendar' to start evolution in Calendar
view to avoid accidental loading of possibly malicious mail.  You can check
plugin settings from Calendar view.

Comment 23 Fedora Update System 2008-06-06 07:47:32 UTC
evolution-2.22.2-2.fc9 has been pushed to the Fedora 9 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 24 Fedora Update System 2008-06-06 07:49:10 UTC
evolution-2.12.3-5.fc8 has been pushed to the Fedora 8 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 25 Fedora Update System 2008-06-06 07:49:28 UTC
evolution-2.10.3-10.fc7 has been pushed to the Fedora 7 stable repository.  If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.