Bug 65116 (CVE-2005-0102)

Summary: VUL-0: CVE-2005-0102: evolution: integer overflow in helper app
Product: [Novell Products] SUSE Security Incidents Reporter: Thomas Biege <thomas>
Component: IncidentsAssignee: Stanislav Brabec <sbrabec>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: gnome-bugs, patch-request, security-team
Version: unspecified   
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: CVE-2005-0102: CVSS v2 Base Score: 7.2 (AV:L/AC:L/Au:N/C:C/I:C/A:C)
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Thomas Biege 2005-01-24 19:10:24 UTC 
Hi, 
we received the following through vendor-sec. 
 
----- Forwarded message from Martin Schulze <joey@infodrom.org> ----- 
 
From: Martin Schulze <joey@infodrom.org> 
To: Free Software Distribution Vendors <vendor-sec@lst.de> 
User-Agent: Mutt/1.5.6+20040907i 
Subject: [vendor-sec] CAN-2005-0102: Arbitrary code execution in 
Evolution 
Errors-To: vendor-sec-admin@lst.de 
Date: Sun, 23 Jan 2005 11:18:45 +0100 
 
Max Vozeler discovered an integer overflow in the helper application 
camel-lock-helper which runs setuid root or setgid mail inside of 
Evolution, a free grouware suite.  A local attacker can cause the 
setuid root helper to execute arbitrary code with elevated privileges 
via a malicious POP server. 
 
This is public already. 
 
We tried to disclose this responsible with somebody from Novell who 
was also contacted by Max.  However, despite "We are reviewing the 
patch and the issue." last Tuesday the fix was committed publically 
and announced: 
 
Message by NotZed: 
http://lists.ximian.com/archives/public/evolution-patches/2005-January/008672.html 
 
CVS commit: 
http://cvs.gnome.org/viewcvs/evolution/camel/camel-lock-helper.c?rev=1.7&hideattic=0&view=log 
 
I'm sorry for this. 
 
We're going to fix this with the attached patch. 
 
Since this one is public already I don't want to wait too long with 
updates, so no or little coordination is possible.  We're probably 
going for Monday or Tuesday. 
 
Regards, 
 
        Joey 
 
-- 
GNU does not eliminate all the world's problems, only some of them. 
                                                -- The GNU Manifesto 
 
--- evolution-1.0.5.orig/camel/camel-lock-helper.c      2001-10-27 
18:59:27.000000000 +0200 
+++ evolution-1.0.5/camel/camel-lock-helper.c   2005-01-21 
16:57:44.000000000 +0100 
@@ -360,6 +360,8 @@ int main(int argc, char **argv) 
                        switch(msg.id) { 
                        case CAMEL_LOCK_HELPER_LOCK: 
                                res = CAMEL_LOCK_HELPER_STATUS_NOMEM; 
+                               if (msg.data+1 < msg.data) 
+                                       break; 
                                path = malloc(msg.data+1); 
                                if (path != NULL) { 
                                        res = 
CAMEL_LOCK_HELPER_STATUS_PROTOCOL; 
 
 
----- End forwarded message -----
Comment 1 Thomas Biege 2005-01-24 19:10:25 UTC 
<!-- SBZ_reproduce  -->
.
Comment 2 Stanislav Brabec 2005-01-24 21:36:34 UTC 
Comparing upper mentioned patch and CVS version, it seems, that both does the
same. Will apply upped mentioned one. The bug moved to evolution-data-server in
newer versions.
Comment 3 Stanislav Brabec 2005-01-24 21:41:38 UTC 
There is a difference: version in CVS returns CAMEL_LOCK_HELPER_STATUS_PROTOCOL,
this one returns CAMEL_LOCK_HELPER_STATUS_NOMEM. Version in CVS may not work.

Because msg.data is declared as uint32, (msg.data+1 < msg.data) is true for
2^32, for CVS version, comparison is done against 0xffff.

Will apply CVS version.
Comment 4 Stanislav Brabec 2005-01-24 23:16:12 UTC 
Fix submitted for:

evolution-data-server: STABLE, PLUS

evolution: 8.1, 8.2, 9.0, 9.1, 9.2, SLES9-SLD, SLES8-SLEC.
Comment 5 Thomas Biege 2005-01-25 01:16:09 UTC 
Thanks. I'll do swamp and patchinfo files tomorrow.
Comment 6 Thomas Biege 2005-01-25 01:22:21 UTC 
Hm, looks like we don't have the app. installed setuid.
Comment 7 Thomas Biege 2005-01-25 19:59:28 UTC 
 SM-Tracker-216
Comment 8 Thomas Biege 2005-01-25 21:05:09 UTC 
`patchinfo-box.evolution' -> 
`/work/src/done/PATCHINFO/patchinfo-box.evolution' 
`patchinfo-box.evolution-data-server' -> 
`/work/src/done/PATCHINFO/patchinfo-box.evolution-data-server' 
`patchinfo-box92.evolution' -> 
`/work/src/done/PATCHINFO/patchinfo-box92.evolution' 
`patchinfo-sld.evolution' -> 
`/work/src/done/PATCHINFO/patchinfo-sld.evolution' 
`patchinfo-sld.evolution-data-server' -> 
`/work/src/done/PATCHINFO/patchinfo-sld.evolution-data-server' 
`patchinfo-slec.evolution' -> 
`/work/src/done/PATCHINFO/patchinfo-slec.evolution'
Comment 9 Stanislav Brabec 2005-01-25 23:03:30 UTC 
Please look again at package list: patchinfo-sld.evolution-data-server.

Patch for evolution-data-server was submitted only to STABLE and PLUS.
Comment 10 Thomas Biege 2005-01-26 00:16:29 UTC 
removed /work/src/done/PATCHINFO/patchinfo-sld.evolution
Comment 11 Marcus Meissner 2005-01-26 00:24:07 UTC 
can you also submit packages for NLD-BETA (NLD SP1)?  
 
It has a changed evolution / evolution-data-server
Comment 12 Michael Schröder 2005-01-26 00:27:35 UTC 
Thomas, didn't you erase the wrong patchinfo?
Comment 13 Thomas Biege 2005-01-26 00:36:58 UTC 
Stupid! I did so... 
 
removed /work/src/done/PATCHINFO/patchinfo-sld.evolution-data-server 
and put the other file back. :)
Comment 14 Stanislav Brabec 2005-01-27 01:13:54 UTC 
Fix submitted also for evolution NLD SP1.
Comment 15 Thomas Biege 2005-02-03 20:32:47 UTC 
approved SLES8/9 and Box packages

I'll leave this bug open for NLD...
Comment 16 Marcus Meissner 2005-02-04 23:16:36 UTC 
updates released everywhere, right? i do not see the NLD version anymore. 
 
NLD-SP1 will have it too.
Comment 17 Stanislav Brabec 2005-02-04 23:26:42 UTC 
I have submitted it for SLES9-SLD and later for SLES9-SLD-BETA.
See
/work/SRC/old-versions/9.1/SLD/all/evolution/evolution.changes
/work/SRC/old-versions/9.1/SLD-BETA/all/evolution/evolution.changes
Comment 18 Thomas Biege 2009-10-13 21:00:08 UTC 
CVE-2005-0102: CVSS v2 Base Score: 7.2 (AV:L/AC:L/Au:N/C:C/I:C/A:C)