Alin Rad Pop of the Secunia Research discovered following issue affecting
evolution's iCalendar handling code:
A boundary error exists when parsing timezone strings contained
within iCalendar attachments. This can be exploited to overflow a static
buffer via an overly long timezone string.
Successful exploitation allows execution of arbitrary code, but requires
that the ITip Formatter plugin is disabled.
The vulnerability is present within the "write_label_piece()"
function in calendar/gui/e-itip-control.c at line 713, when the
extracted display name of the timezone is longer than the destination
Red Hat would like to thank Alin Rad Pop of Secunia Research for responsibly disclosing this issue.
Created attachment 306808 [details]
Here's the patch I proposed to upstream. It might be a bit more extensive than
necessary to address this particular vulnerability, but I get paranoid when I
see sprintf() being used anywhere. Upstream is reviewing the patch and should
let me know tomorrow if it's acceptable.
Like CVE-2008-1109, this also affects all supported Fedora releases.
Upstream approved the patch in comment #3.
Btw, there seems to be other instances of write_label_piece() function doing
doing similar strcat stuff without size checks in calendar/gui/print.c and
calendar/gui/dialogs/comp-editor-util.c . Can those implementations be fed with
malicious data from mail? How can they be reached. I suspect we should fix
those as well.
Unbound write in write_label_piece() is performed for stext and etext. Function
is called from print_date_label() and only hard-coded strings (either in source
code or in localization files) are passed as an arguments, and can not be
controlled by a remote attacker.
e_time_format_date_and_time() can possibly be called with negative buffer_size
argument, but this would require either long stext (not controlled by an
attacker) or possibly long string returned in previous
e_time_format_date_and_time() call. That depends on user's locale definition,
out of remote attacker control.
Similar to print.c case.
These should not have any security implications and can not be triggered by
crafted .ics files.
Matthew, please correct me if I'm wrong. Thanks to Milan Crha for useful hints
Correct. I would imagine Evolution is chock full of cases like that. There's a
lot of old and poorly written code there, especially in the calendar.
I was planning to sweep the current code base looking for similar unchecked
string buffer writes and will let you know if I find anything exploitable.
Public now, lifting embargo:
CVSSv2 scores are different for different evolution versions:
- old evolution versions that do not have Itip Formatter plugin (e.g. as shipped
in Red Hat Enterprise Linux 3 and 4) - the overflow is triggered when messages
is viewed, preview pane is enabled by default, hence AC:L
- newer evolution versions that have Itip Formatter plugin which is enabled by
default (e.g. as shipped in Red Hat Enterprise Linux 5 and Fedora, and
evolution28 packages as shipped in Red Hat Enterprise Linux 4); issue can only
be exploited if user has disabled Itip Formatter plugin, hence AC:M
evolution-2.10.3-10.fc7 has been submitted as an update for Fedora 7
evolution-2.12.3-5.fc8 has been submitted as an update for Fedora 8
evolution-2.22.2-2.fc9 has been submitted as an update for Fedora 9
Possible mitigations that can be used before updating to fixed packages:
- old evolution versions (Red Hat Enterprise Linux 3 and 4) - No known
mitigations, you have to install updated packages.
- newer evolution versions (Red Hat Enterprise Linux 5 and Fedora, evolution28
packages in Red Hat Enterprise Linux 4) - Make sure Itip Formatter plugin is
enabled (should be, as it is enabled by default). If uncertain, you can run
evolution as 'evolution --component=calendar' to start evolution in Calendar
view to avoid accidental loading of possibly malicious mail. You can check
plugin settings from Calendar view.
evolution-2.22.2-2.fc9 has been pushed to the Fedora 9 stable repository. If problems still persist, please make note of it in this bug report.
evolution-2.12.3-5.fc8 has been pushed to the Fedora 8 stable repository. If problems still persist, please make note of it in this bug report.
evolution-2.10.3-10.fc7 has been pushed to the Fedora 7 stable repository. If problems still persist, please make note of it in this bug report.
This issue was addressed in:
Red Hat Enterprise Linux: