evolution: Multiple format string vulnerabilities in Evolution

Automatically imported from Debian bug report #322535 http://bugs.debian.org/322535

Already fixed in Ubuntu.

Message-Id: <email address hidden>
Date: Thu, 11 Aug 2005 11:25:46 +0200
From: Moritz Muehlenhoff <email address hidden>
To: Debian Bug Tracking System <email address hidden>
Subject: evolution: Multiple format string vulnerabilities in Evolution

Package: evolution
Severity: grave
Tags: security

Multiple exploitable format string vulnerabilities have been found in
Evolution. Please see
http://www.securityfocus.com/archive/1/407789/30/0/threaded
for details. 2.3.7 fixes all these issues.

Cheers,
        Moritz

-- System Information:
Debian Release: testing/unstable
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: i386 (i686)
Shell: /bin/sh linked to /bin/bash
Kernel: Linux 2.6.12-rc5
Locale: LANG=C, LC_CTYPE=de_DE.ISO-8859-15@euro (charmap=ISO-8859-15)

Message-ID: <email address hidden>
Date: Sat, 13 Aug 2005 12:47:45 +0200
From: Ulf Harnhammar <email address hidden>
To: <email address hidden>
Subject: Patch

If you don't want to upgrade to 2.3.7, which is unstable, you
can use our unofficial patch:

  o http://www.sitic.se/dokument/evolution.formatstring.patch

// Ulf

Message-ID: <email address hidden>
Date: Mon, 22 Aug 2005 22:24:16 +0100
From: Neil McGovern <email address hidden>
To: <email address hidden>
Subject: NMU

--/JIF1IJL1ITjxcV4
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

Hi there,

Can you please update the package.
If there's no reply by Friday, I'll prepare an NMU.

Many thanks,
Neil McGovern
--=20
   __ =20
 .=C5=BD `. <email address hidden> | Application Manager
 : :' ! ---------------- | Secure-Testing Team member
 `. `=C5=BD gpg: B345BDD3 | Webapps Team member
   `- Please don't cc, I'm subscribed to the list

--/JIF1IJL1ITjxcV4
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFDCkKA97LBwbNFvdMRArB6AJ0bit6XBExBMmVKpDV2VN0CFPmQ6QCfXUi5
eELzuYKIHgLfTY/9PjdkDQQ=
=YVfb
-----END PGP SIGNATURE-----

--/JIF1IJL1ITjxcV4--

Message-Id: <email address hidden>
Date: Thu, 25 Aug 2005 10:37:48 +0900
From: Takuo KITAME <email address hidden>
To: <email address hidden>, Neil McGovern <email address hidden>
Subject: Re: [Evolution] Bug#322535: NMU

2005-08-22 ($B7n(B) $B$N(B 22:24 +0100 $B$K(B Neil McGovern $B$5$s$O=q$-$^$7$?(B:
> Hi there,
>
> Can you please update the package.
> If there's no reply by Friday, I'll prepare an NMU.
>
> Many thanks,
> Neil McGovern

It seems no upstream release for 2.2.x (stable).
Please wait.

--
Takuo KITAME

Message-ID: <email address hidden>
Date: Fri, 26 Aug 2005 21:23:31 +0100
From: Neil McGovern <email address hidden>
To: <email address hidden>
Subject: Re: [Evolution] Bug#322535: NMU

--UlVJffcvxoiEqYs2
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

Hi there,

Although there's no new upstream stable, there's a nice patch that would
fix this security bug. See earlier in the thread.

Could you please apply this?

Cheers,
Neil
--=20
   __ =20
 .=C5=BD `. <email address hidden> | Application Manager
 : :' ! ---------------- | Secure-Testing Team member
 `. `=C5=BD gpg: B345BDD3 | Webapps Team member
   `- Please don't cc, I'm subscribed to the list

--UlVJffcvxoiEqYs2
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFDD3pD97LBwbNFvdMRAgmhAJ9qnl+luXot6sWqjHH7tamxPFV8fACeOm0E
hl0t7Dk2ZTUlf9DCv+bGlpw=
=WP7+
-----END PGP SIGNATURE-----

--UlVJffcvxoiEqYs2--

Message-Id: <email address hidden>
Date: Sat, 27 Aug 2005 18:41:57 +0100
From: "Adam D. Barratt" <email address hidden>
To: <email address hidden>, <email address hidden>
Cc: <email address hidden>
Subject: #322535 appears to be fixed

Version: 2.2.3-3

Hi,

It looks like this was fixed in the evolution 2.2.3-3 packages uploaded
on Thursday, but not closed due to a typo in the changelog:

evolution (2.2.3-3) unstable; urgency=high

   * security fix. (closes: Bug#32253)
     - Multiple exploitable format string vulnerabilities
       Applied unofficial security fix patch from
       http://www.sitic.se/dokument/evolution.formatstring.patch

 -- Takuo KITAME <email address hidden> Thu, 25 Aug 2005 14:58:34 +0900

Closing now.

Regards,

Adam

Message-ID: <email address hidden>
Date: Thu, 1 Dec 2005 15:13:42 +0100
From: Moritz Muehlenhoff <email address hidden>
To: <email address hidden>
Cc: <email address hidden>
Subject: evolution CVE-2005-2549/CVE-2005-2550

--G4iJoqBmSsgzjUCe
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline

Dear security team,
so far there hasn't been a security update for the latest evolution
vulnerabilities. (CVE-2005-2549/CVE-2005-2550)
I've attached patches for Woody and Sarge. The Sarge fixes are straightforward,
but some comments on Woody, relative to the patch hunks from the Sarge fix:
- accum_attribute() isn't present in Woody, so hunk 1-3 are void.
- the vulnerable code from e-cal-component-preview.c isn't present either.
- the vulnerable code from e-calendar-table.c and e-calendar-view.c is contained
  in Woody, although in a different place. This is exploitable as well, have a
  look at the description of the function that feeds data into ical_string:
  | * cal-client/cal-client.c (cal_client_get_component_as_string): new
  | function to return a complete VCALENDAR string containing a VEVENT
  | or VTODO with all the VTIMEZONEs it uses.

Cheers,
        Moritz
--G4iJoqBmSsgzjUCe
Content-Type: text/plain; charset=us-ascii
Content-Disposition: attachment; filename="CVE-2005-2549-CVE-2005-2550-evolution-sarge.patch"

diff -Naur evolution-2.0.4.orig/addressbook/gui/widgets/eab-contact-display.c evolution-2.0.4/addressbook/gui/widgets/eab-contact-display.c
--- evolution-2.0.4.orig/addressbook/gui/widgets/eab-contact-display.c Mon Feb 14 17:09:03 2005
+++ evolution-2.0.4/addressbook/gui/widgets/eab-contact-display.c Fri Nov 25 16:50:43 2005
@@ -338,7 +338,7 @@
  accum_attribute (accum, contact, _("Yahoo"), E_CONTACT_IM_YAHOO_HOME_1, YAHOO_ICON, 0);

  if (accum->len > 0)
- gtk_html_stream_printf (html_stream, accum->str);
+ gtk_html_stream_printf (html_stream, "%s", accum->str);

  end_block (html_stream);

@@ -353,7 +353,7 @@

  if (accum->len > 0) {
   start_block (html_stream, _("work"));
- gtk_html_stream_printf (html_stream, accum->str);
+ gtk_html_stream_printf (html_stream, "%s", accum->str);
   end_block (html_stream);
  }

@@ -368,7 +368,7 @@

  if (accum->len > 0) {
   start_block (html_stream, _("personal"));
- gtk_html_stream_printf (html_stream, accum->str);
+ gtk_html_stream_printf (html_stream, "%s", accum->str);
   end_block (html_stream);
  }

diff -Naur evolution-2.0.4.orig/calendar/gui/e-cal-component-preview.c evolution-2.0.4/calendar/gui/e-cal-component-preview.c
--- evolution-2.0.4.orig/calendar/gui/e-cal-component-preview.c Sun Apr 18 20:01:19 2004
+++ evolution-2.0.4/calendar/gui/e-cal-component-preview.c Fri Nov 25 16:50:43 2005
@@ -285,7 +285,7 @@
      str = g_string_append_c (str, text.value[i]);
    }

- gtk_html_stream_printf (stream, str->str);
+ gtk_html_stream_printf (stream, "%s", str->str);
    g_string_free (str, TRUE);
   }

diff -Naur evolution-2.0.4.orig/calendar/gui/e-calendar-table.c evolution-2.0.4/calendar/gui/e-calendar-table.c
--- evolution-2.0.4.orig/calendar/gui/e-calendar-table.c Fri Sep 24 17:49:27 2004
+++ evolution-2.0.4/calendar/gui/e-ca...