GNOME Bugzilla – Bug 540342
Evolution Vulnerability
Last modified: 2008-06-30 09:06:15 UTC
I don't know if developers have been informed about this issue, however today I read this on bugtraq: http://www.securityfocus.com/archive/1/493686/30/0/threaded Application: Evolution 2.22.2 OS: Linux - Ubuntu 8.04 ------------------------------------------------------ 1 - Description 2 - Vulnerability 3 - POC/EXPLOIT ------------------------------------------------------ Description Evolution is an email client that is built with ubuntu. ------------------------------------------------------ Vulnerability The vulnerability works when mail is sent and specially armed with html code, this causes the client to break. Analyzing with a debugger, you can see the failure with the following function. 0xb7a219d7 in html_engine_get_view_width () from /usr/lib/libgtkhtml-3.14.so.19 ------------------------------------------------------ POC/EXPLOIT The proof of concept can be done locally, when you save the following code in a html file and then load it into an e-mail from the new option "insert" and "html file", as that could verify the client is broken. <IFRAME SRC="A"></IFRAME> <FRAMESET><FRAME SRC="A"></FRAMESET> ------------------------------------------------------ Juan Pablo Lopez Yacubian
Gianluca: Yeah, it is known issue since today, thanks for putting it here. Srini: Can we please get this done for 2.22.3 (Monday)?
Created attachment 113517 [details] [review] proposed gtkhtml patch for gtkhtml; Forgot to reparent the frame set too.
@andre: how did you know that? jplopezy@gmail.com informed you or did you read the bugtraq post?
Srini or Matthew, could anyone please review the and make it go in? The patch looks good to me, although I couldn't test it.
I will review/test it before 2.22.3
I tested the patch it works pretty well :) I'd like to note, that I wasn't able to exploit this issue remotely. That is, I could made Evo only crash by inserting this bogus html file into the composer. Not by sending a specially crafted email to myself and displaying it with evo.
Commit to stable/trunk.
Patch committed to SVN stable (gnome-2-22) branch as r8880 http://svn.gnome.org/viewvc/gtkhtml?view=revision&revision=8880 Patch committed to SVN trunk as r8881 http://svn.gnome.org/viewvc/gtkhtml?view=revision&revision=8881