Bug 520745 – CVE-2008-0072 format string vulnerability on Evolution multiple versions

After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.

Bug 520745 - CVE-2008-0072 format string vulnerability on Evolution multiple versions


Summary:	CVE-2008-0072 format string vulnerability on Evolution multiple versions


Status:	RESOLVED FIXED

Product:	evolution
Classification:	Applications
Component:	Mailer
Version:	2.22.x (obsolete)
Hardware:	Other Linux

Importance:	Immediate blocker
Target Milestone:	---
Assigned To:	evolution-mail-maintainers
QA Contact:	Evolution QA team

URL:
Whiteboard:

Depends on:
Blocks:

Reported:	2008-03-06 13:31 UTC by C de-Avillez
Modified:	2013-09-13 00:56 UTC

See Also:
GNOME target:	2.22.x
GNOME version:	2.21/2.22

Attachments
Suggested patch to trunk (2.26 KB, patch) 2008-03-06 13:51 UTC, Tor Lillqvist	rejected	Details \| Review
Suggested patch to trunk (2.26 KB, patch) 2008-03-06 13:53 UTC, Tor Lillqvist	committed	Details \| Review

Description C de-Avillez 2008-03-06 13:31:07 UTC

original ubuntu bug: https://bugs.launchpad.net/ubuntu/+source/evolution/+bug/198742

From Secunia advisory:

"Secunia Research has discovered a vulnerability in Evolution, which can be exploited by malicious people to compromise a vulnerable system.

A format string error in the "emf_multipart_encrypted()" function in mail/em-format.c when displaying data (e.g. the "Version:" field) from an encrypted e-mail message can be exploited to execute arbitrary code via a specially crafted e-mail message.

Successful exploitation requires that the user selects a malicious e-mail message.

The vulnerability is confirmed in version 2.12.3. Other versions may also be affected."

The Ubuntu bug reports Debian has already published a fix: http://www.debian.org/security/2008/dsa-1512

Comment 1 Tor Lillqvist 2008-03-06 13:51:20 UTC

Created attachment 106680 [details] [review]
Suggested patch to trunk

Comment 2 Tor Lillqvist 2008-03-06 13:53:35 UTC

Created attachment 106681 [details] [review]
Suggested patch to trunk

Comment 3 Srinivasa Ragavan 2008-03-06 15:58:49 UTC

By accident, you posted the same thing twice.

Tor your patch is absolultely awesome. It fixes the security issue. The core issue was that format specifier was missing and the string directly had the "%n" which accessed random locations to crash it on viewing the encrypted mail.

We should ask for a freeze break and commit it to trunk. I'll do that.

Comment 4 André Klapper 2008-03-06 16:09:03 UTC

two r-t approvals by olav and vuntz on the r-t mailing list. setting patch status to accepted-commit_now.

Comment 5 Tobias Mueller 2008-03-06 22:06:19 UTC

Committed as rev 35143.