Bug 488226 - (CVE-2009-0587) CVE-2009-0587 evolution-data-server: integer overflow in base64 encoding functions
CVE-2009-0587 evolution-data-server: integer overflow in base64 encoding func...
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
low Severity low
: ---
: ---
Assigned To: Red Hat Product Security
source=redhat,reported=20090114,publi...
: Security
Depends On: 488278 488279 488280 488281 488293 488439 488440 488441 488442
Blocks:
  Show dependency treegraph
 
Reported: 2009-03-03 05:58 EST by Tomas Hoger
Modified: 2016-06-17 17:06 EDT (History)
9 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2009-03-18 03:36:03 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Possible fix for _evc_base64_encode_simple() (526 bytes, patch)
2009-03-03 06:00 EST, Tomas Hoger
no flags Details | Diff
Possible fix for camel_base64_encode_simple() (601 bytes, patch)
2009-03-03 06:04 EST, Tomas Hoger
no flags Details | Diff

  None (edit)
Description Tomas Hoger 2009-03-03 05:58:55 EST
Evolution Data Server contained multiple copies of base64_encode_simple function similar to one now implemented in glib2, that were affected by the glib2's CVE-2008-4316 integer overflow issue.

  out = g_malloc (len * 4 / 3 + 5);

If the affected functions were used on large untrusted inputs, memory requirement computation may overflow, resulting in an insufficient memory allocation and heap-based buffer overflow during the base64 encode of the supplied data.

Affected code existed in:

- _evc_base64_encode_simple() in addressbook/libebook/e-vcard.c, can possibly be triggered by malicious LDAP address book backend

- camel_base64_encode_simple() in camel/camel-mime-utils.c, can possibly be triggered by NTLM SASL authentication, or Exchange backend

Note: current upstream versions of Evolution Data Server are not affected by these flaws, as they do no longer have own base64 encoding and decoding routines and rather rely on the functions provided by glib2.  The change was done upstream in the following SVN commit:
  http://svn.gnome.org/viewvc/evolution-data-server?view=revision&revision=8090
Comment 1 Tomas Hoger 2009-03-03 06:00:29 EST
Created attachment 333864 [details]
Possible fix for _evc_base64_encode_simple()

Based on glib2's patch, see bug #474770.
Comment 2 Tomas Hoger 2009-03-03 06:04:53 EST
Created attachment 333866 [details]
Possible fix for camel_base64_encode_simple()

Unlike patch for _evc_base64_encode_simple(), this g_errors for large inputs rather than returning NULL, as camel_base64_encode_simple() does not seem to be be expected to ever return NULL.  Failing g_error should not be a big issue though, as with multiplication and division operations reversed, only inputs of 3gig+ (on 32 bit systems) can trigger overflow, which are quite unlikely.
Comment 14 Tomas Hoger 2009-03-12 10:53:50 EDT
Fix for glib is now committed in glib's upstream SVN now:
  https://bugzilla.redhat.com/show_bug.cgi?id=474770#c17

Lifting embargo on this too.
Comment 15 Tomas Hoger 2009-03-13 09:53:15 EDT
Upstream SVN commit:
  http://svn.gnome.org/viewvc/evolution-data-server?view=revision&revision=10161
Comment 16 errata-xmlrpc 2009-03-16 10:37:05 EDT
This issue has been addressed in following products:

  Red Hat Enterprise Linux 4
  Red Hat Enterprise Linux 5

Via RHSA-2009:0354 https://rhn.redhat.com/errata/RHSA-2009-0354.html
Comment 17 errata-xmlrpc 2009-03-16 10:47:42 EDT
This issue has been addressed in following products:

  Red Hat Enterprise Linux 4

Via RHSA-2009-0355 https://rhn.redhat.com/errata/RHSA-2009-0355.html
Comment 18 errata-xmlrpc 2009-03-16 10:54:11 EDT
This issue has been addressed in following products:

  Red Hat Enterprise Linux 3

Via RHSA-2009:0358 https://rhn.redhat.com/errata/RHSA-2009-0358.html
Comment 19 Tru Huynh 2009-03-16 16:38:08 EDT
as of Mon Mar 16 21:36:06 CET 2009
the src.rpm are not available on ftp://updates.redhat.com/

[tru@carrington ~]$ HEAD ftp://updates.redhat.com/enterprise/3AS/en/os/SRPMS/evolution-1.4.5-25.el3.src.rpm

404 File 'evolution-1.4.5-25.el3.src.rpm' not found
Client-Date: Mon, 16 Mar 2009 20:36:14 GMT

[tru@carrington ~]$ HEAD ftp://updates.redhat.com/enterprise/4AS/en/os/SRPMS/evolution-2.0.2-41.el4_7.2.src.rpm
404 File 'evolution-2.0.2-41.el4_7.2.src.rpm' not found
Client-Date: Mon, 16 Mar 2009 20:37:07 GMT

[tru@carrington ~]$ HEAD ftp://updates.redhat.com/enterprise/4AS/en/os/SRPMS/evolution-data-server-1.0.2-14.el4_7.1.src.rpm
404 File 'evolution-data-server-1.0.2-14.el4_7.1.src.rpm' not found
Client-Date: Mon, 16 Mar 2009 20:37:21 GMT

thanks

Tru
Comment 20 Tomas Hoger 2009-03-17 05:53:40 EDT
(In reply to comment #19)
> as of Mon Mar 16 21:36:06 CET 2009
> the src.rpm are not available on ftp://updates.redhat.com/

Are you sure the version of HEAD you are using is not playing tricks on you?  With some older HEAD version, I still can get this bogus 404 message, even though the files are on the FTP and are wget-able.

Anyway, please consider preferring to follow:
  https://www.redhat.com/security/team/contact/

when reporting similar issues, rather than using needinfo BZ flags.
Comment 21 Tru Huynh 2009-03-17 07:15:33 EDT
the files were not there yesterday (I tried wget/HEAD/curl...) without success. They are now available, thx :)
Comment 22 Red Hat Product Security 2009-03-18 03:36:03 EDT
This issue was addressed in:

Red Hat Enterprise Linux:
  http://rhn.redhat.com/errata/RHSA-2009-0354.html
  http://rhn.redhat.com/errata/RHSA-2009-0355.html
  http://rhn.redhat.com/errata/RHSA-2009-0358.html
Comment 23 Red Hat Product Security 2009-03-20 03:41:56 EDT
This issue was addressed in:

Red Hat Enterprise Linux:
  http://rhn.redhat.com/errata/RHSA-2009-0354.html
  http://rhn.redhat.com/errata/RHSA-2009-0355.html
  http://rhn.redhat.com/errata/RHSA-2009-0358.html

Note You need to log in before you can comment on or make changes to this bug.