Debian Bug report logs - #322535
evolution: Multiple format string vulnerabilities in Evolution

version graph

Package: evolution; Maintainer for evolution is Debian Evolution Maintainers <pkg-evolution-maintainers@lists.alioth.debian.org>; Source for evolution is src:evolution.

Reported by: Moritz Muehlenhoff <jmm@inutil.org>

Date: Thu, 11 Aug 2005 09:33:12 UTC

Severity: grave

Tags: security

Fixed in version 2.2.3-3

Done: "Adam D. Barratt" <debian-bts@adam-barratt.org.uk>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Debian Evolution Maintainers <pkg-evolution-maintainers@lists.alioth.debian.org>:
Bug#322535; Package evolution. Full text and rfc822 format available.

Acknowledgement sent to Moritz Muehlenhoff <jmm@inutil.org>:
New Bug report received and forwarded. Copy sent to Debian Evolution Maintainers <pkg-evolution-maintainers@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Moritz Muehlenhoff <jmm@inutil.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: evolution: Multiple format string vulnerabilities in Evolution
Date: Thu, 11 Aug 2005 11:25:46 +0200
Package: evolution
Severity: grave
Tags: security

Multiple exploitable format string vulnerabilities have been found in
Evolution. Please see 
http://www.securityfocus.com/archive/1/407789/30/0/threaded
for details. 2.3.7 fixes all these issues.

Cheers,
        Moritz

-- System Information:
Debian Release: testing/unstable
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.12-rc5
Locale: LANG=C, LC_CTYPE=de_DE.ISO-8859-15@euro (charmap=ISO-8859-15)



Information forwarded to debian-bugs-dist@lists.debian.org, Debian Evolution Maintainers <pkg-evolution-maintainers@lists.alioth.debian.org>:
Bug#322535; Package evolution. Full text and rfc822 format available.

Acknowledgement sent to metaur@telia.com:
Extra info received and forwarded to list. Copy sent to Debian Evolution Maintainers <pkg-evolution-maintainers@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #10 received at 322535@bugs.debian.org (full text, mbox):

From: Ulf Harnhammar <metaur@telia.com>
To: 322535@bugs.debian.org
Subject: Patch
Date: Sat, 13 Aug 2005 12:47:45 +0200
If you don't want to upgrade to 2.3.7, which is unstable, you
can use our unofficial patch:

  o  http://www.sitic.se/dokument/evolution.formatstring.patch

// Ulf




Information forwarded to debian-bugs-dist@lists.debian.org, Debian Evolution Maintainers <pkg-evolution-maintainers@lists.alioth.debian.org>:
Bug#322535; Package evolution. Full text and rfc822 format available.

Acknowledgement sent to Neil McGovern <neilm@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Evolution Maintainers <pkg-evolution-maintainers@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #15 received at 322535@bugs.debian.org (full text, mbox):

From: Neil McGovern <neilm@debian.org>
To: 322535@bugs.debian.org
Subject: NMU
Date: Mon, 22 Aug 2005 22:24:16 +0100
[Message part 1 (text/plain, inline)]
Hi there,

Can you please update the package.
If there's no reply by Friday, I'll prepare an NMU.

Many thanks,
Neil McGovern
-- 
   __   
 .Ž  `. neilm@debian.org | Application Manager
 : :' ! ---------------- | Secure-Testing Team member
 `. `Ž  gpg: B345BDD3    | Webapps Team member
   `-   Please don't cc, I'm subscribed to the list
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Evolution Maintainers <pkg-evolution-maintainers@lists.alioth.debian.org>:
Bug#322535; Package evolution. Full text and rfc822 format available.

Acknowledgement sent to Takuo KITAME <kitame@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Evolution Maintainers <pkg-evolution-maintainers@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #20 received at 322535@bugs.debian.org (full text, mbox):

From: Takuo KITAME <kitame@debian.org>
To: 322535@bugs.debian.org, Neil McGovern <neilm@debian.org>
Subject: Re: [Evolution] Bug#322535: NMU
Date: Thu, 25 Aug 2005 10:37:48 +0900
2005-08-22 (月) の 22:24 +0100 に Neil McGovern さんは書きました:
> Hi there,
> 
> Can you please update the package.
> If there's no reply by Friday, I'll prepare an NMU.
> 
> Many thanks,
> Neil McGovern

It seems no upstream release for 2.2.x (stable).
Please wait.

-- 
Takuo KITAME




Information forwarded to debian-bugs-dist@lists.debian.org, Debian Evolution Maintainers <pkg-evolution-maintainers@lists.alioth.debian.org>:
Bug#322535; Package evolution. Full text and rfc822 format available.

Acknowledgement sent to Neil McGovern <neilm@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Evolution Maintainers <pkg-evolution-maintainers@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #25 received at 322535@bugs.debian.org (full text, mbox):

From: Neil McGovern <neilm@debian.org>
To: 322535@bugs.debian.org
Subject: Re: [Evolution] Bug#322535: NMU
Date: Fri, 26 Aug 2005 21:23:31 +0100
[Message part 1 (text/plain, inline)]
Hi there,

Although there's no new upstream stable, there's a nice patch that would
fix this security bug. See earlier in the thread.

Could you please apply this?

Cheers,
Neil
-- 
   __   
 .Ž  `. neilm@debian.org | Application Manager
 : :' ! ---------------- | Secure-Testing Team member
 `. `Ž  gpg: B345BDD3    | Webapps Team member
   `-   Please don't cc, I'm subscribed to the list
[signature.asc (application/pgp-signature, inline)]

Reply sent to "Adam D. Barratt" <debian-bts@adam-barratt.org.uk>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Moritz Muehlenhoff <jmm@inutil.org>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #30 received at 322535-done@bugs.debian.org (full text, mbox):

From: "Adam D. Barratt" <debian-bts@adam-barratt.org.uk>
To: 322535-done@bugs.debian.org, 322535-submitter@bugs.debian.org
Cc: neilm@debian.org
Subject: #322535 appears to be fixed
Date: Sat, 27 Aug 2005 18:41:57 +0100
Version: 2.2.3-3

Hi,

It looks like this was fixed in the evolution 2.2.3-3 packages uploaded
on Thursday, but not closed due to a typo in the changelog:

evolution (2.2.3-3) unstable; urgency=high

   * security fix. (closes: Bug#32253)
     - Multiple exploitable format string vulnerabilities
       Applied unofficial security fix patch from
       http://www.sitic.se/dokument/evolution.formatstring.patch

 -- Takuo KITAME <kitame@debian.org>  Thu, 25 Aug 2005 14:58:34 +0900

Closing now.

Regards,

Adam



Message sent on to Moritz Muehlenhoff <jmm@inutil.org>:
Bug#322535. Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Evolution Maintainers <pkg-evolution-maintainers@lists.alioth.debian.org>:
Bug#322535; Package evolution. Full text and rfc822 format available.

Acknowledgement sent to Moritz Muehlenhoff <jmm@inutil.org>:
Extra info received and forwarded to list. Copy sent to Debian Evolution Maintainers <pkg-evolution-maintainers@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #38 received at 322535@bugs.debian.org (full text, mbox):

From: Moritz Muehlenhoff <jmm@inutil.org>
To: team@security.debian.org
Cc: 322535@bugs.debian.org
Subject: evolution CVE-2005-2549/CVE-2005-2550
Date: Thu, 1 Dec 2005 15:13:42 +0100
[Message part 1 (text/plain, inline)]
Dear security team,
so far there hasn't been a security update for the latest evolution
vulnerabilities. (CVE-2005-2549/CVE-2005-2550)
I've attached patches for Woody and Sarge. The Sarge fixes are straightforward,
but some comments on Woody, relative to the patch hunks from the Sarge fix:
- accum_attribute() isn't present in Woody, so hunk 1-3 are void.
- the vulnerable code from e-cal-component-preview.c isn't present either.
- the vulnerable code from e-calendar-table.c and e-calendar-view.c is contained
  in Woody, although in a different place. This is exploitable as well, have a
  look at the description of the function that feeds data into ical_string:
  | * cal-client/cal-client.c (cal_client_get_component_as_string): new
  |   function to return a complete VCALENDAR string containing a VEVENT
  |   or VTODO with all the VTIMEZONEs it uses.

Cheers,
        Moritz
[CVE-2005-2549-CVE-2005-2550-evolution-sarge.patch (text/plain, attachment)]
[CVE-2005-2549-CVE-2005-2550-evolution-woody.patch (text/plain, attachment)]

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Evolution Maintainers <pkg-evolution-maintainers@lists.alioth.debian.org>:
Bug#322535; Package evolution. Full text and rfc822 format available.

Acknowledgement sent to Martin Schulze <joey@infodrom.org>:
Extra info received and forwarded to list. Copy sent to Debian Evolution Maintainers <pkg-evolution-maintainers@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #43 received at 322535@bugs.debian.org (full text, mbox):

From: Martin Schulze <joey@infodrom.org>
To: Moritz Muehlenhoff <jmm@inutil.org>
Cc: team@security.debian.org, 322535@bugs.debian.org
Subject: Re: evolution CVE-2005-2549/CVE-2005-2550
Date: Mon, 6 Feb 2006 15:52:00 +0100
Moritz Muehlenhoff wrote:
> Dear security team,
> so far there hasn't been a security update for the latest evolution
> vulnerabilities. (CVE-2005-2549/CVE-2005-2550)
> I've attached patches for Woody and Sarge. The Sarge fixes are straightforward,
> but some comments on Woody, relative to the patch hunks from the Sarge fix:
> - accum_attribute() isn't present in Woody, so hunk 1-3 are void.
> - the vulnerable code from e-cal-component-preview.c isn't present either.
> - the vulnerable code from e-calendar-table.c and e-calendar-view.c is contained
>   in Woody, although in a different place. This is exploitable as well, have a
>   look at the description of the function that feeds data into ical_string:
>   | * cal-client/cal-client.c (cal_client_get_component_as_string): new
>   |   function to return a complete VCALENDAR string containing a VEVENT
>   |   or VTODO with all the VTIMEZONEs it uses.

Please go ahead.

Regards,

	Joey

> Cheers,
>         Moritz
> diff -Naur evolution-2.0.4.orig/addressbook/gui/widgets/eab-contact-display.c evolution-2.0.4/addressbook/gui/widgets/eab-contact-display.c
> --- evolution-2.0.4.orig/addressbook/gui/widgets/eab-contact-display.c	Mon Feb 14 17:09:03 2005
> +++ evolution-2.0.4/addressbook/gui/widgets/eab-contact-display.c	Fri Nov 25 16:50:43 2005
> @@ -338,7 +338,7 @@
>  	accum_attribute (accum, contact, _("Yahoo"), E_CONTACT_IM_YAHOO_HOME_1, YAHOO_ICON, 0);
>  
>  	if (accum->len > 0)
> -		gtk_html_stream_printf (html_stream, accum->str);
> +		gtk_html_stream_printf (html_stream, "%s", accum->str);
>  
>  	end_block (html_stream);
>  
> @@ -353,7 +353,7 @@
>  
>  	if (accum->len > 0) {
>  		start_block (html_stream, _("work"));
> -		gtk_html_stream_printf (html_stream, accum->str);
> +		gtk_html_stream_printf (html_stream, "%s", accum->str);
>  		end_block (html_stream);
>  	}
>  
> @@ -368,7 +368,7 @@
>  
>  	if (accum->len > 0) {
>  		start_block (html_stream, _("personal"));
> -		gtk_html_stream_printf (html_stream, accum->str);
> +		gtk_html_stream_printf (html_stream, "%s", accum->str);
>  		end_block (html_stream);
>  	}
>  
> diff -Naur evolution-2.0.4.orig/calendar/gui/e-cal-component-preview.c evolution-2.0.4/calendar/gui/e-cal-component-preview.c
> --- evolution-2.0.4.orig/calendar/gui/e-cal-component-preview.c	Sun Apr 18 20:01:19 2004
> +++ evolution-2.0.4/calendar/gui/e-cal-component-preview.c	Fri Nov 25 16:50:43 2005
> @@ -285,7 +285,7 @@
>  					str = g_string_append_c (str, text.value[i]);
>  			}
>  
> -			gtk_html_stream_printf (stream, str->str);
> +			gtk_html_stream_printf (stream, "%s", str->str);
>  			g_string_free (str, TRUE);
>  		}
>  
> diff -Naur evolution-2.0.4.orig/calendar/gui/e-calendar-table.c evolution-2.0.4/calendar/gui/e-calendar-table.c
> --- evolution-2.0.4.orig/calendar/gui/e-calendar-table.c	Fri Sep 24 17:49:27 2004
> +++ evolution-2.0.4/calendar/gui/e-calendar-table.c	Fri Nov 25 16:50:43 2005
> @@ -1212,7 +1212,7 @@
>  		return;
>  	}
>  	
> -	fprintf (file, ical_string);
> +	fprintf (file, "%s", ical_string);
>  	g_free (ical_string);
>  	fclose (file);
>  }
> diff -Naur evolution-2.0.4.orig/calendar/gui/e-calendar-view.c evolution-2.0.4/calendar/gui/e-calendar-view.c
> --- evolution-2.0.4.orig/calendar/gui/e-calendar-view.c	Mon Feb 14 17:09:04 2005
> +++ evolution-2.0.4/calendar/gui/e-calendar-view.c	Fri Nov 25 16:50:43 2005
> @@ -1074,7 +1074,7 @@
>  		return;
>  	}
>  	
> -	fprintf (file, ical_string);
> +	fprintf (file, "%s", ical_string);
>  	g_free (ical_string);
>  	fclose (file);
>  

> diff -Naur evolution-1.0.5.orig/calendar/gui/dialogs/comp-editor.c evolution-1.0.5/calendar/gui/dialogs/comp-editor.c
> --- evolution-1.0.5.orig/calendar/gui/dialogs/comp-editor.c	2002-02-19 16:33:02.000000000 +0100
> +++ evolution-1.0.5/calendar/gui/dialogs/comp-editor.c	2005-12-01 15:01:23.000000000 +0100
> @@ -1088,7 +1088,7 @@
>  			return;
>  		}
>  
> -		fprintf (file, ical_string);
> +		fprintf (file, "%s", ical_string);
>  		g_free (ical_string);
>  		fclose (file);
>  


-- 
Reading is a lost art nowadays.  -- Michael Weber

Please always Cc to me when replying to me on the lists.



Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Mon, 25 Jun 2007 04:56:33 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Apr 16 16:26:01 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.