Alin Rad Pop of the Secunia Research discovered following issue affecting evolution's iCalendar handling code: A boundary error exists when parsing timezone strings contained within iCalendar attachments. This can be exploited to overflow a static buffer via an overly long timezone string. Successful exploitation allows execution of arbitrary code, but requires that the ITip Formatter plugin is disabled. Vulnerability Details: The vulnerability is present within the "write_label_piece()" function in calendar/gui/e-itip-control.c at line 713, when the extracted display name of the timezone is longer than the destination buffer. [calendar/gui/e-itip-control.c:713] strcat(buffer, display_name); Acknowledgements: Red Hat would like to thank Alin Rad Pop of Secunia Research for responsibly disclosing this issue.
Created attachment 306808 [details] Patch Here's the patch I proposed to upstream. It might be a bit more extensive than necessary to address this particular vulnerability, but I get paranoid when I see sprintf() being used anywhere. Upstream is reviewing the patch and should let me know tomorrow if it's acceptable. Like CVE-2008-1109, this also affects all supported Fedora releases.
Upstream approved the patch in comment #3.
Btw, there seems to be other instances of write_label_piece() function doing doing similar strcat stuff without size checks in calendar/gui/print.c and calendar/gui/dialogs/comp-editor-util.c . Can those implementations be fed with malicious data from mail? How can they be reached. I suspect we should fix those as well.
print.c: Unbound write in write_label_piece() is performed for stext and etext. Function is called from print_date_label() and only hard-coded strings (either in source code or in localization files) are passed as an arguments, and can not be controlled by a remote attacker. e_time_format_date_and_time() can possibly be called with negative buffer_size argument, but this would require either long stext (not controlled by an attacker) or possibly long string returned in previous e_time_format_date_and_time() call. That depends on user's locale definition, out of remote attacker control. comp-editor-util.c: Similar to print.c case. These should not have any security implications and can not be triggered by crafted .ics files. Matthew, please correct me if I'm wrong. Thanks to Milan Crha for useful hints with these!
Correct. I would imagine Evolution is chock full of cases like that. There's a lot of old and poorly written code there, especially in the calendar. I was planning to sweep the current code base looking for similar unchecked string buffer writes and will let you know if I find anything exploitable.
Public now, lifting embargo: http://secunia.com/advisories/30298 http://secunia.com/secunia_research/2008-22/advisory/
CVSSv2 scores are different for different evolution versions: - old evolution versions that do not have Itip Formatter plugin (e.g. as shipped in Red Hat Enterprise Linux 3 and 4) - the overflow is triggered when messages is viewed, preview pane is enabled by default, hence AC:L cvss2=7.5/AV:N/AC:L/Au:N/C:P/I:P/A:P - newer evolution versions that have Itip Formatter plugin which is enabled by default (e.g. as shipped in Red Hat Enterprise Linux 5 and Fedora, and evolution28 packages as shipped in Red Hat Enterprise Linux 4); issue can only be exploited if user has disabled Itip Formatter plugin, hence AC:M cvss2=6.8/AV:N/AC:M/Au:N/C:P/I:P/A:P
evolution-2.10.3-10.fc7 has been submitted as an update for Fedora 7
evolution-2.12.3-5.fc8 has been submitted as an update for Fedora 8
evolution-2.22.2-2.fc9 has been submitted as an update for Fedora 9
Possible mitigations that can be used before updating to fixed packages: - old evolution versions (Red Hat Enterprise Linux 3 and 4) - No known mitigations, you have to install updated packages. - newer evolution versions (Red Hat Enterprise Linux 5 and Fedora, evolution28 packages in Red Hat Enterprise Linux 4) - Make sure Itip Formatter plugin is enabled (should be, as it is enabled by default). If uncertain, you can run evolution as 'evolution --component=calendar' to start evolution in Calendar view to avoid accidental loading of possibly malicious mail. You can check plugin settings from Calendar view.
evolution-2.22.2-2.fc9 has been pushed to the Fedora 9 stable repository. If problems still persist, please make note of it in this bug report.
evolution-2.12.3-5.fc8 has been pushed to the Fedora 8 stable repository. If problems still persist, please make note of it in this bug report.
evolution-2.10.3-10.fc7 has been pushed to the Fedora 7 stable repository. If problems still persist, please make note of it in this bug report.
This issue was addressed in: Red Hat Enterprise Linux: http://rhn.redhat.com/errata/RHSA-2008-0514.html http://rhn.redhat.com/errata/RHSA-2008-0516.html http://rhn.redhat.com/errata/RHSA-2008-0517.html http://rhn.redhat.com/errata/RHSA-2008-0515.html Fedora: https://admin.fedoraproject.org/updates/F7/FEDORA-2008-5018 https://admin.fedoraproject.org/updates/F8/FEDORA-2008-5016 https://admin.fedoraproject.org/updates/F9/FEDORA-2008-4990