[Bug 13678] evolution: Multiple format string vulnerabilities in Evolution

bugzilla-daemon at bugzilla.ubuntu.com bugzilla-daemon at bugzilla.ubuntu.com
Thu Dec 1 14:46:17 UTC 2005 

Please do not reply to this email.  You can add comments at
http://bugzilla.ubuntu.com/show_bug.cgi?id=13678
Ubuntu | evolution





------- Additional Comments From debzilla at ubuntu.com  2005-12-01 14:46 UTC -------
Message-ID: <20051201141342.GA13187 at informatik.uni-bremen.de>
Date: Thu, 1 Dec 2005 15:13:42 +0100
From: Moritz Muehlenhoff <jmm at inutil.org>
To: team at security.debian.org
Cc: 322535 at bugs.debian.org
Subject: evolution CVE-2005-2549/CVE-2005-2550

--G4iJoqBmSsgzjUCe
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline

Dear security team,
so far there hasn't been a security update for the latest evolution
vulnerabilities. (CVE-2005-2549/CVE-2005-2550)
I've attached patches for Woody and Sarge. The Sarge fixes are straightforward,
but some comments on Woody, relative to the patch hunks from the Sarge fix:
- accum_attribute() isn't present in Woody, so hunk 1-3 are void.
- the vulnerable code from e-cal-component-preview.c isn't present either.
- the vulnerable code from e-calendar-table.c and e-calendar-view.c is contained
  in Woody, although in a different place. This is exploitable as well, have a
  look at the description of the function that feeds data into ical_string:
  | * cal-client/cal-client.c (cal_client_get_component_as_string): new
  |   function to return a complete VCALENDAR string containing a VEVENT
  |   or VTODO with all the VTIMEZONEs it uses.

Cheers,
        Moritz
--G4iJoqBmSsgzjUCe
Content-Type: text/plain; charset=us-ascii
Content-Disposition: attachment; filename="CVE-2005-2549-CVE-2005-2550-evolution-sarge.patch"

diff -Naur evolution-2.0.4.orig/addressbook/gui/widgets/eab-contact-display.c evolution-2.0.4/addressbook/gui/widgets/eab-contact-display.c
--- evolution-2.0.4.orig/addressbook/gui/widgets/eab-contact-display.c	Mon Feb 14 17:09:03 2005
+++ evolution-2.0.4/addressbook/gui/widgets/eab-contact-display.c	Fri Nov 25 16:50:43 2005
@@ -338,7 +338,7 @@
 	accum_attribute (accum, contact, _("Yahoo"), E_CONTACT_IM_YAHOO_HOME_1, YAHOO_ICON, 0);
 
 	if (accum->len > 0)
-		gtk_html_stream_printf (html_stream, accum->str);
+		gtk_html_stream_printf (html_stream, "%s", accum->str);
 
 	end_block (html_stream);
 
@@ -353,7 +353,7 @@
 
 	if (accum->len > 0) {
 		start_block (html_stream, _("work"));
-		gtk_html_stream_printf (html_stream, accum->str);
+		gtk_html_stream_printf (html_stream, "%s", accum->str);
 		end_block (html_stream);
 	}
 
@@ -368,7 +368,7 @@
 
 	if (accum->len > 0) {
 		start_block (html_stream, _("personal"));
-		gtk_html_stream_printf (html_stream, accum->str);
+		gtk_html_stream_printf (html_stream, "%s", accum->str);
 		end_block (html_stream);
 	}
 
diff -Naur evolution-2.0.4.orig/calendar/gui/e-cal-component-preview.c evolution-2.0.4/calendar/gui/e-cal-component-preview.c
--- evolution-2.0.4.orig/calendar/gui/e-cal-component-preview.c	Sun Apr 18 20:01:19 2004
+++ evolution-2.0.4/calendar/gui/e-cal-component-preview.c	Fri Nov 25 16:50:43 2005
@@ -285,7 +285,7 @@
 					str = g_string_append_c (str, text.value[i]);
 			}
 
-			gtk_html_stream_printf (stream, str->str);
+			gtk_html_stream_printf (stream, "%s", str->str);
 			g_string_free (str, TRUE);
 		}
 
diff -Naur evolution-2.0.4.orig/calendar/gui/e-calendar-table.c evolution-2.0.4/calendar/gui/e-calendar-table.c
--- evolution-2.0.4.orig/calendar/gui/e-calendar-table.c	Fri Sep 24 17:49:27 2004
+++ evolution-2.0.4/calendar/gui/e-calendar-table.c	Fri Nov 25 16:50:43 2005
@@ -1212,7 +1212,7 @@
 		return;
 	}
 	
-	fprintf (file, ical_string);
+	fprintf (file, "%s", ical_string);
 	g_free (ical_string);
 	fclose (file);
 }
diff -Naur evolution-2.0.4.orig/calendar/gui/e-calendar-view.c evolution-2.0.4/calendar/gui/e-calendar-view.c
--- evolution-2.0.4.orig/calendar/gui/e-calendar-view.c	Mon Feb 14 17:09:04 2005
+++ evolution-2.0.4/calendar/gui/e-calendar-view.c	Fri Nov 25 16:50:43 2005
@@ -1074,7 +1074,7 @@
 		return;
 	}
 	
-	fprintf (file, ical_string);
+	fprintf (file, "%s", ical_string);
 	g_free (ical_string);
 	fclose (file);
 

--G4iJoqBmSsgzjUCe
Content-Type: text/plain; charset=us-ascii
Content-Disposition: attachment; filename="CVE-2005-2549-CVE-2005-2550-evolution-woody.patch"

diff -Naur evolution-1.0.5.orig/calendar/gui/dialogs/comp-editor.c evolution-1.0.5/calendar/gui/dialogs/comp-editor.c
--- evolution-1.0.5.orig/calendar/gui/dialogs/comp-editor.c	2002-02-19 16:33:02.000000000 +0100
+++ evolution-1.0.5/calendar/gui/dialogs/comp-editor.c	2005-12-01 15:01:23.000000000 +0100
@@ -1088,7 +1088,7 @@
 			return;
 		}
 
-		fprintf (file, ical_string);
+		fprintf (file, "%s", ical_string);
 		g_free (ical_string);
 		fclose (file);
 

--G4iJoqBmSsgzjUCe--

-- 
Configure bugmail: http://bugzilla.ubuntu.com/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the QA contact for the bug, or are watching the QA contact.

More information about the desktop-bugs mailing list