448541 – (CVE-2008-1109) CVE-2008-1109 evolution: iCalendar buffer overflow via large description parameter

Bug 448541 (CVE-2008-1109) - CVE-2008-1109 evolution: iCalendar buffer overflow via large description parameter

Summary: CVE-2008-1109 evolution: iCalendar buffer overflow via large description para...

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2008-1109
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	448719 448720 448721 448722 449922 449923 449924 449925
Blocks:
TreeView+	depends on / blocked

Reported:	2008-05-27 15:25 UTC by Tomas Hoger
Modified:	2023-05-11 12:57 UTC (History)
CC List:	4 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2008-06-06 08:00:06 UTC
Embargoed:

Attachments	(Terms of Use)
Patch (1.41 KB, patch) 2008-05-27 16:55 UTC, Matthew Barnes	no flags	Details \| Diff
View All

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2008:0514	0	normal	SHIPPED_LIVE	Important: evolution security update	2008-06-04 10:46:22 UTC
Red Hat Product Errata	RHSA-2008:0515	0	normal	SHIPPED_LIVE	Important: evolution28 security update	2008-06-04 12:57:45 UTC

Description Tomas Hoger 2008-05-27 15:25:01 UTC

Alin Rad Pop of the Secunia Research discovered following issue affecting
evolution's iCalendar handling code:

A boundary error exists when replying to an iCalendar request while
in calendar view. This can be exploited to cause a heap-based buffer
overflow via an overly long "DESCRIPTION" property string included in an
iCalendar attachment.

Successful exploitation allows execution of arbitrary code, but requires
that the user accepts the iCalendar request and replies to it from the
"Calendars" window.

Vulnerability Details:
The vulnerability is present within the "html_new_lines_for()"
function in calendar/gui/itip-utils.c from line 190 on.

[calendar/gui/itip-utils.c:179]
	char *html_string = (char *) malloc (sizeof (char)* (3500));
        [ ... ]
	strcpy(html_string, (const char*) string);

Acknowledgements:

Red Hat would like to thank Alin Rad Pop of Secunia Research for responsibly disclosing this issue.

Comment 3 Matthew Barnes 2008-05-27 16:55:45 UTC

Created attachment 306797 [details]
Patch

Damn, that's about the most poorly written source code I've seen all week. 
Here's a patch for it.

Comment 6 Matthew Barnes 2008-05-28 11:37:02 UTC

Upstream approved the patch in comment #3.

Comment 11 Tomas Hoger 2008-06-04 09:41:40 UTC

Public now, lifting embargo:

  http://secunia.com/advisories/30298
  http://secunia.com/secunia_research/2008-23/advisory/

Comment 13 Fedora Update System 2008-06-04 11:12:19 UTC

evolution-2.10.3-10.fc7 has been submitted as an update for Fedora 7

Comment 14 Fedora Update System 2008-06-04 11:13:18 UTC

evolution-2.12.3-5.fc8 has been submitted as an update for Fedora 8

Comment 15 Fedora Update System 2008-06-04 11:15:03 UTC

evolution-2.22.2-2.fc9 has been submitted as an update for Fedora 9

Comment 16 Tomas Hoger 2008-06-04 11:38:31 UTC

Possible mitigations that can be used to reduce risk before updating to fixed
packages:

Do not reply to meeting requests from the Calendar view.  Do not accept
untrusted meeting requests to you calendar.

Comment 17 Fedora Update System 2008-06-06 07:47:34 UTC

evolution-2.22.2-2.fc9 has been pushed to the Fedora 9 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 18 Fedora Update System 2008-06-06 07:49:07 UTC

evolution-2.12.3-5.fc8 has been pushed to the Fedora 8 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 19 Fedora Update System 2008-06-06 07:49:26 UTC

evolution-2.10.3-10.fc7 has been pushed to the Fedora 7 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 20 Red Hat Product Security 2008-06-06 08:00:06 UTC

This issue was addressed in:

Red Hat Enterprise Linux:
  http://rhn.redhat.com/errata/RHSA-2008-0514.html
  http://rhn.redhat.com/errata/RHSA-2008-0515.html

Fedora:
  https://admin.fedoraproject.org/updates/F7/FEDORA-2008-5018
  https://admin.fedoraproject.org/updates/F8/FEDORA-2008-5016
  https://admin.fedoraproject.org/updates/F9/FEDORA-2008-4990

Note You need to log in before you can comment on or make changes to this bug.