After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.
Bug 540342 - Evolution Vulnerability
Evolution Vulnerability
Status: RESOLVED FIXED
Product: GtkHtml
Classification: Other
Component: Editing
3.23.x
Other Linux
: Immediate blocker
: ---
Assigned To: gtkhtml-maintainers
Evolution QA team
Depends on:
Blocks:
 
 
Reported: 2008-06-26 15:23 UTC by Gianluca Borello
Modified: 2008-06-30 09:06 UTC
See Also:
GNOME target: 2.22.x
GNOME version: 2.21/2.22

Attachments
proposed gtkhtml patch (1.91 KB, patch)
2008-06-27 09:49 UTC, Milan Crha 		committed Details | Review

Description Gianluca Borello 2008-06-26 15:23:14 UTC 
I don't know if developers have been informed about this issue, however today I
read this on bugtraq:

http://www.securityfocus.com/archive/1/493686/30/0/threaded


Application: Evolution 2.22.2

OS: Linux - Ubuntu 8.04

------------------------------------------------------

1 - Description

2 - Vulnerability

3 - POC/EXPLOIT



------------------------------------------------------

Description


Evolution is an email client that is built with ubuntu.



------------------------------------------------------

Vulnerability




The vulnerability works when mail is sent and specially armed with html code, this causes the client to break.


Analyzing with a debugger, you can see the failure with the following function.



0xb7a219d7 in html_engine_get_view_width () from /usr/lib/libgtkhtml-3.14.so.19



------------------------------------------------------

POC/EXPLOIT




The proof of concept can be done locally,

when you save the following code in a html file and then load it into an e-mail from the new option "insert" and "html file",

as that could verify the client is broken.


<IFRAME SRC="A"></IFRAME>

<FRAMESET><FRAME SRC="A"></FRAMESET>


------------------------------------------------------

Juan Pablo Lopez Yacubian
Comment 1 André Klapper 2008-06-26 21:31:10 UTC 
Gianluca: Yeah, it is known issue since today, thanks for putting it here.

Srini: Can we please get this done for 2.22.3 (Monday)?
Comment 2 Milan Crha 2008-06-27 09:49:09 UTC 
Created attachment 113517 [details] [review]
proposed gtkhtml patch

for gtkhtml;

Forgot to reparent the frame set too.
Comment 3 Gianluca Borello 2008-06-27 09:55:27 UTC 
@andre: how did you know that? jplopezy@gmail.com informed you or did you read the bugtraq post?
Comment 4 Tobias Mueller 2008-06-27 15:03:01 UTC 
Srini or Matthew, could anyone please review the and make it go in? The patch looks good to me, although I couldn't test it.
Comment 5 Srinivasa Ragavan 2008-06-27 18:23:47 UTC 
I will review/test it before 2.22.3
Comment 6 Tobias Mueller 2008-06-29 16:43:06 UTC 
I tested the patch it works pretty well :)
I'd like to note, that I wasn't able to exploit this issue remotely. That is, I could made Evo only crash by inserting this bogus html file into the composer. Not by sending a specially crafted email to myself and displaying it with evo.
Comment 7 Srinivasa Ragavan 2008-06-30 03:13:01 UTC 
Commit to stable/trunk.
Comment 8 Suman Manjunath 2008-06-30 03:35:19 UTC 
Patch committed to SVN stable (gnome-2-22) branch as r8880
http://svn.gnome.org/viewvc/gtkhtml?view=revision&revision=8880

Patch committed to SVN trunk as r8881
http://svn.gnome.org/viewvc/gtkhtml?view=revision&revision=8881