After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.
Bug 520745 - CVE-2008-0072 format string vulnerability on Evolution multiple versions
CVE-2008-0072 format string vulnerability on Evolution multiple versions
Product: evolution
Classification: Applications
Component: Mailer
2.22.x (obsolete)
Other Linux
: Immediate blocker
: ---
Assigned To: evolution-mail-maintainers
Evolution QA team
Depends on:
Reported: 2008-03-06 13:31 UTC by C de-Avillez
Modified: 2013-09-13 00:56 UTC
See Also:
GNOME target: 2.22.x
GNOME version: 2.21/2.22

Suggested patch to trunk (2.26 KB, patch)
2008-03-06 13:51 UTC, Tor Lillqvist
rejected Details | Review
Suggested patch to trunk (2.26 KB, patch)
2008-03-06 13:53 UTC, Tor Lillqvist
committed Details | Review

Description C de-Avillez 2008-03-06 13:31:07 UTC
original ubuntu bug:

From Secunia advisory:

"Secunia Research has discovered a vulnerability in Evolution, which can be exploited by malicious people to compromise a vulnerable system.

A format string error in the "emf_multipart_encrypted()" function in mail/em-format.c when displaying data (e.g. the "Version:" field) from an encrypted e-mail message can be exploited to execute arbitrary code via a specially crafted e-mail message.

Successful exploitation requires that the user selects a malicious e-mail message.

The vulnerability is confirmed in version 2.12.3. Other versions may also be affected."

The Ubuntu bug reports Debian has already published a fix:
Comment 1 Tor Lillqvist 2008-03-06 13:51:20 UTC
Created attachment 106680 [details] [review]
Suggested patch to trunk
Comment 2 Tor Lillqvist 2008-03-06 13:53:35 UTC
Created attachment 106681 [details] [review]
Suggested patch to trunk
Comment 3 Srinivasa Ragavan 2008-03-06 15:58:49 UTC
By accident, you posted the same thing twice.

Tor your patch is absolultely awesome. It fixes the security issue. The core issue was that format specifier was missing and the string directly had the "%n" which accessed random locations to crash it on viewing the encrypted mail.

We should ask for a freeze break and commit it to trunk. I'll do that.
Comment 4 André Klapper 2008-03-06 16:09:03 UTC
two r-t approvals by olav and vuntz on the r-t mailing list. setting patch status to accepted-commit_now.
Comment 5 Tobias Mueller 2008-03-06 22:06:19 UTC
Committed as rev 35143.