Comment 16 for bug 19920

Moritz Muehlenhoff wrote:
> Dear security team,
> so far there hasn't been a security update for the latest evolution
> vulnerabilities. (CVE-2005-2549/CVE-2005-2550)
> I've attached patches for Woody and Sarge. The Sarge fixes are straightforward,
> but some comments on Woody, relative to the patch hunks from the Sarge fix:
> - accum_attribute() isn't present in Woody, so hunk 1-3 are void.
> - the vulnerable code from e-cal-component-preview.c isn't present either.
> - the vulnerable code from e-calendar-table.c and e-calendar-view.c is contained
> in Woody, although in a different place. This is exploitable as well, have a
> look at the description of the function that feeds data into ical_string:
> | * cal-client/cal-client.c (cal_client_get_component_as_string): new
> | function to return a complete VCALENDAR string containing a VEVENT
> | or VTODO with all the VTIMEZONEs it uses.

Please go ahead.

Regards,

 Joey

> Cheers,
> Moritz
> diff -Naur evolution-2.0.4.orig/addressbook/gui/widgets/eab-contact-display.c evolution-2.0.4/addressbook/gui/widgets/eab-contact-display.c
> --- evolution-2.0.4.orig/addressbook/gui/widgets/eab-contact-display.c Mon Feb 14 17:09:03 2005
> +++ evolution-2.0.4/addressbook/gui/widgets/eab-contact-display.c Fri Nov 25 16:50:43 2005
> @@ -338,7 +338,7 @@
> accum_attribute (accum, contact, _("Yahoo"), E_CONTACT_IM_YAHOO_HOME_1, YAHOO_ICON, 0);
>
> if (accum->len > 0)
> - gtk_html_stream_printf (html_stream, accum->str);
> + gtk_html_stream_printf (html_stream, "%s", accum->str);
>
> end_block (html_stream);
>
> @@ -353,7 +353,7 @@
>
> if (accum->len > 0) {
> start_block (html_stream, _("work"));
> - gtk_html_stream_printf (html_stream, accum->str);
> + gtk_html_stream_printf (html_stream, "%s", accum->str);
> end_block (html_stream);
> }
>
> @@ -368,7 +368,7 @@
>
> if (accum->len > 0) {
> start_block (html_stream, _("personal"));
> - gtk_html_stream_printf (html_stream, accum->str);
> + gtk_html_stream_printf (html_stream, "%s", accum->str);
> end_block (html_stream);
> }
>
> diff -Naur evolution-2.0.4.orig/calendar/gui/e-cal-component-preview.c evolution-2.0.4/calendar/gui/e-cal-component-preview.c
> --- evolution-2.0.4.orig/calendar/gui/e-cal-component-preview.c Sun Apr 18 20:01:19 2004
> +++ evolution-2.0.4/calendar/gui/e-cal-component-preview.c Fri Nov 25 16:50:43 2005
> @@ -285,7 +285,7 @@
> str = g_string_append_c (str, text.value[i]);
> }
>
> - gtk_html_stream_printf (stream, str->str);
> + gtk_html_stream_printf (stream, "%s", str->str);
> g_string_free (str, TRUE);
> }
>
> diff -Naur evolution-2.0.4.orig/calendar/gui/e-calendar-table.c evolution-2.0.4/calendar/gui/e-calendar-table.c
> --- evolution-2.0.4.orig/calendar/gui/e-calendar-table.c Fri Sep 24 17:49:27 2004
> +++ evolution-2.0.4/calendar/gui/e-calendar-table.c Fri Nov 25 16:50:43 2005
> @@ -1212,7 +1212,7 @@
> return;
> }
>
> - fprintf (file, ical_string);
> + fprintf (file, "%s", ical_string);
> g_free (ical_string);
> fclose (file);
> }
> diff -Naur evolution-2.0.4.orig/calendar/gui/e-calendar-view.c evolution-2.0.4/calendar/gui/e-calendar-view.c
> --- evolution-2.0.4.orig/calendar/gui/e-calendar-view.c Mon Feb 14 17:09:04 2005
> +++ evolution-2.0.4/calendar/gui/e-calendar-view.c Fri Nov 25 16:50:43 2005
> @@ -1074,7 +1074,7 @@
> return;
> }
>
> - fprintf (file, ical_string);
> + fprintf (file, "%s", ical_string);
> g_free (ical_string);
> fclose (file);
>

> diff -Naur evolution-1.0.5.orig/calendar/gui/dialogs/comp-editor.c evolution-1.0.5/calendar/gui/dialogs/comp-editor.c
> --- evolution-1.0.5.orig/calendar/gui/dialogs/comp-editor.c 2002-02-19 16:33:02.000000000 +0100
> +++ evolution-1.0.5/calendar/gui/dialogs/comp-editor.c 2005-12-01 15:01:23.000000000 +0100
> @@ -1088,7 +1088,7 @@
> return;
> }
>
> - fprintf (file, ical_string);
> + fprintf (file, "%s", ical_string);
> g_free (ical_string);
> fclose (file);
>

--
Reading is a lost art nowadays. -- Michael Weber

Please always Cc to me when replying to me on the lists.