Ubuntu
evolution package

Bug #19920
Comment #15

Comment 15 for bug 19920

Revision history for this message

Debian Bug Importer (debzilla) wrote on 2005-12-01:

#15

Message-ID: <email address hidden>
Date: Thu, 1 Dec 2005 15:13:42 +0100
From: Moritz Muehlenhoff <email address hidden>
To: <email address hidden>
Cc: <email address hidden>
Subject: evolution CVE-2005-2549/CVE-2005-2550

--G4iJoqBmSsgzjUCe
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline

Dear security team,
so far there hasn't been a security update for the latest evolution
vulnerabilities. (CVE-2005-2549/CVE-2005-2550)
I've attached patches for Woody and Sarge. The Sarge fixes are straightforward,
but some comments on Woody, relative to the patch hunks from the Sarge fix:
- accum_attribute() isn't present in Woody, so hunk 1-3 are void.
- the vulnerable code from e-cal-component-preview.c isn't present either.
- the vulnerable code from e-calendar-table.c and e-calendar-view.c is contained
  in Woody, although in a different place. This is exploitable as well, have a
  look at the description of the function that feeds data into ical_string:
  | * cal-client/cal-client.c (cal_client_get_component_as_string): new
  | function to return a complete VCALENDAR string containing a VEVENT
  | or VTODO with all the VTIMEZONEs it uses.

Cheers,
Moritz
--G4iJoqBmSsgzjUCe
Content-Type: text/plain; charset=us-ascii
Content-Disposition: attachment; filename="CVE-2005-2549-CVE-2005-2550-evolution-sarge.patch"

if (accum->len > 0)
- gtk_html_stream_printf (html_stream, accum->str);
+ gtk_html_stream_printf (html_stream, "%s", accum->str);

end_block (html_stream);

@@ -353,7 +353,7 @@

  if (accum->len > 0) {
   start_block (html_stream, _("work"));
- gtk_html_stream_printf (html_stream, accum->str);
+ gtk_html_stream_printf (html_stream, "%s", accum->str);
   end_block (html_stream);
  }

@@ -368,7 +368,7 @@

  if (accum->len > 0) {
   start_block (html_stream, _("personal"));
- gtk_html_stream_printf (html_stream, accum->str);
+ gtk_html_stream_printf (html_stream, "%s", accum->str);
   end_block (html_stream);
  }

diff -Naur evolution-2.0.4.orig/calendar/gui/e-cal-component-preview.c evolution-2.0.4/calendar/gui/e-cal-component-preview.c
--- evolution-2.0.4.orig/calendar/gui/e-cal-component-preview.c Sun Apr 18 20:01:19 2004
+++ evolution-2.0.4/calendar/gui/e-cal-component-preview.c Fri Nov 25 16:50:43 2005
@@ -285,7 +285,7 @@
str = g_string_append_c (str, text.value[i]);
}

- gtk_html_stream_printf (stream, str->str);
+ gtk_html_stream_printf (stream, "%s", str->str);
g_string_free (str, TRUE);
}

diff -Naur evolution-2.0.4.orig/calendar/gui/e-calendar-table.c evolution-2.0.4/calendar/gui/e-calendar-table.c
--- evolution-2.0.4.orig/calendar/gui/e-calendar-table.c Fri Sep 24 17:49:27 2004
+++ evolution-2.0.4/calendar/gui/e-calendar-table.c Fri Nov 25 16:50:43 2005
@@ -1212,7 +1212,7 @@
return;
}

- fprintf (file, ical_string);
+ fprintf (file, "%s", ical_string);
  g_free (ical_string);
  fclose (file);
}
diff -Naur evolution-2.0.4.orig/calendar/gui/e-calendar-view.c evolution-2.0.4/calendar/gui/e-calendar-view.c
--- evolution-2.0.4.orig/calendar/gui/e-calendar-view.c Mon Feb 14 17:09:04 2005
+++ evolution-2.0.4/calendar/gui/e-calendar-view.c Fri Nov 25 16:50:43 2005
@@ -1074,7 +1074,7 @@
   return;
  }

- fprintf (file, ical_string);
+ fprintf (file, "%s", ical_string);
g_free (ical_string);
fclose (file);

--G4iJoqBmSsgzjUCe
Content-Type: text/plain; charset=us-ascii
Content-Disposition: attachment; filename="CVE-2005-2549-CVE-2005-2550-evolution-woody.patch"

diff -Naur evolution-1.0.5.orig/calendar/gui/dialogs/comp-editor.c evolution-1.0.5/calendar/gui/dialogs/comp-editor.c
--- evolution-1.0.5.orig/calendar/gui/dialogs/comp-editor.c 2002-02-19 16:33:02.000000000 +0100
+++ evolution-1.0.5/calendar/gui/dialogs/comp-editor.c 2005-12-01 15:01:23.000000000 +0100
@@ -1088,7 +1088,7 @@
return;
}

- fprintf (file, ical_string);
+ fprintf (file, "%s", ical_string);
g_free (ical_string);
fclose (file);

--G4iJoqBmSsgzjUCe--

Message-ID: <20051201141342.GA13187@informatik.uni-bremen.de>
Date: Thu, 1 Dec 2005 15:13:42 +0100
From: Moritz Muehlenhoff <jmm@inutil.org>
To: team@security.debian.org
Cc: 322535@bugs.debian.org
Subject: evolution CVE-2005-2549/CVE-2005-2550

--G4iJoqBmSsgzjUCe
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline

Dear security team,
so far there hasn't been a security update for the latest evolution
vulnerabilities. (CVE-2005-2549/CVE-2005-2550)
I've attached patches for Woody and Sarge. The Sarge fixes are straightforward,
but some comments on Woody, relative to the patch hunks from the Sarge fix:
- accum_attribute() isn't present in Woody, so hunk 1-3 are void.
- the vulnerable code from e-cal-component-preview.c isn't present either.
- the vulnerable code from e-calendar-table.c and e-calendar-view.c is contained
  in Woody, although in a different place. This is exploitable as well, have a
  look at the description of the function that feeds data into ical_string:
  | * cal-client/cal-client.c (cal_client_get_component_as_string): new
  |   function to return a complete VCALENDAR string containing a VEVENT
  |   or VTODO with all the VTIMEZONEs it uses.

Cheers,
        Moritz
--G4iJoqBmSsgzjUCe
Content-Type: text/plain; charset=us-ascii
Content-Disposition: attachment; filename="CVE-2005-2549-CVE-2005-2550-evolution-sarge.patch"

diff -Naur evolution-2.0.4.orig/addressbook/gui/widgets/eab-contact-display.c evolution-2.0.4/addressbook/gui/widgets/eab-contact-display.c
--- evolution-2.0.4.orig/addressbook/gui/widgets/eab-contact-display.c	Mon Feb 14 17:09:03 2005
+++ evolution-2.0.4/addressbook/gui/widgets/eab-contact-display.c	Fri Nov 25 16:50:43 2005
@@ -338,7 +338,7 @@
 	accum_attribute (accum, contact, _("Yahoo"), E_CONTACT_IM_YAHOO_HOME_1, YAHOO_ICON, 0);
 
 	if (accum->len > 0)
-		gtk_html_stream_printf (html_stream, accum->str);
+		gtk_html_stream_printf (html_stream, "%s", accum->str);
 
 	end_block (html_stream);
 
@@ -353,7 +353,7 @@
 
 	if (accum->len > 0) {
 		start_block (html_stream, _("work"));
-		gtk_html_stream_printf (html_stream, accum->str);
+		gtk_html_stream_printf (html_stream, "%s", accum->str);
 		end_block (html_stream);
 	}
 
@@ -368,7 +368,7 @@
 
 	if (accum->len > 0) {
 		start_block (html_stream, _("personal"));
-		gtk_html_stream_printf (html_stream, accum->str);
+		gtk_html_stream_printf (html_stream, "%s", accum->str);
 		end_block (html_stream);
 	}
 
diff -Naur evolution-2.0.4.orig/calendar/gui/e-cal-component-preview.c evolution-2.0.4/calendar/gui/e-cal-component-preview.c
--- evolution-2.0.4.orig/calendar/gui/e-cal-component-preview.c	Sun Apr 18 20:01:19 2004
+++ evolution-2.0.4/calendar/gui/e-cal-component-preview.c	Fri Nov 25 16:50:43 2005
@@ -285,7 +285,7 @@
 					str = g_string_append_c (str, text.value[i]);
 			}
 
-			gtk_html_stream_printf (stream, str->str);
+			gtk_html_stream_printf (stream, "%s", str->str);
 			g_string_free (str, TRUE);
 		}
 
diff -Naur evolution-2.0.4.orig/calendar/gui/e-calendar-table.c evolution-2.0.4/calendar/gui/e-calendar-table.c
--- evolution-2.0.4.orig/calendar/gui/e-calendar-table.c	Fri Sep 24 17:49:27 2004
+++ evolution-2.0.4/calendar/gui/e-calendar-table.c	Fri Nov 25 16:50:43 2005
@@ -1212,7 +1212,7 @@
 		return;
 	}
 	
-	fprintf (file, ical_string);
+	fprintf (file, "%s", ical_string);
 	g_free (ical_string);
 	fclose (file);
 }
diff -Naur evolution-2.0.4.orig/calendar/gui/e-calendar-view.c evolution-2.0.4/calendar/gui/e-calendar-view.c
--- evolution-2.0.4.orig/calendar/gui/e-calendar-view.c	Mon Feb 14 17:09:04 2005
+++ evolution-2.0.4/calendar/gui/e-calendar-view.c	Fri Nov 25 16:50:43 2005
@@ -1074,7 +1074,7 @@
 		return;
 	}
 	
-	fprintf (file, ical_string);
+	fprintf (file, "%s", ical_string);
 	g_free (ical_string);
 	fclose (file);

--G4iJoqBmSsgzjUCe
Content-Type: text/plain; charset=us-ascii
Content-Disposition: attachment; filename="CVE-2005-2549-CVE-2005-2550-evolution-woody.patch"

diff -Naur evolution-1.0.5.orig/calendar/gui/dialogs/comp-editor.c evolution-1.0.5/calendar/gui/dialogs/comp-editor.c
--- evolution-1.0.5.orig/calendar/gui/dialogs/comp-editor.c	2002-02-19 16:33:02.000000000 +0100
+++ evolution-1.0.5/calendar/gui/dialogs/comp-editor.c	2005-12-01 15:01:23.000000000 +0100
@@ -1088,7 +1088,7 @@
 			return;
 		}
 
-		fprintf (file, ical_string);
+		fprintf (file, "%s", ical_string);
 		g_free (ical_string);
 		fclose (file);

--G4iJoqBmSsgzjUCe--

Ubuntuevolution package

Comment 15 for bug 19920

Ubuntu
evolution package