Bug 65116 - (CVE-2005-0102) VUL-0: CVE-2005-0102: evolution: integer overflow in helper app
VUL-0: CVE-2005-0102: evolution: integer overflow in helper app
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
All Linux
: P3 - Medium : Normal
: ---
Assigned To: Stanislav Brabec
Security Team bot
CVE-2005-0102: CVSS v2 Base Score: 7....
Depends on:
  Show dependency treegraph
Reported: 2005-01-24 19:10 UTC by Thomas Biege
Modified: 2021-10-27 15:41 UTC (History)
3 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Thomas Biege 2005-01-24 19:10:24 UTC
we received the following through vendor-sec. 
----- Forwarded message from Martin Schulze <joey@infodrom.org> ----- 
From: Martin Schulze <joey@infodrom.org> 
To: Free Software Distribution Vendors <vendor-sec@lst.de> 
User-Agent: Mutt/1.5.6+20040907i 
Subject: [vendor-sec] CAN-2005-0102: Arbitrary code execution in 
Errors-To: vendor-sec-admin@lst.de 
Date: Sun, 23 Jan 2005 11:18:45 +0100 
Max Vozeler discovered an integer overflow in the helper application 
camel-lock-helper which runs setuid root or setgid mail inside of 
Evolution, a free grouware suite.  A local attacker can cause the 
setuid root helper to execute arbitrary code with elevated privileges 
via a malicious POP server. 
This is public already. 
We tried to disclose this responsible with somebody from Novell who 
was also contacted by Max.  However, despite "We are reviewing the 
patch and the issue." last Tuesday the fix was committed publically 
and announced: 
Message by NotZed: 
CVS commit: 
I'm sorry for this. 
We're going to fix this with the attached patch. 
Since this one is public already I don't want to wait too long with 
updates, so no or little coordination is possible.  We're probably 
going for Monday or Tuesday. 
GNU does not eliminate all the world's problems, only some of them. 
                                                -- The GNU Manifesto 
--- evolution-1.0.5.orig/camel/camel-lock-helper.c      2001-10-27 
18:59:27.000000000 +0200 
+++ evolution-1.0.5/camel/camel-lock-helper.c   2005-01-21 
16:57:44.000000000 +0100 
@@ -360,6 +360,8 @@ int main(int argc, char **argv) 
                        switch(msg.id) { 
                        case CAMEL_LOCK_HELPER_LOCK: 
                                res = CAMEL_LOCK_HELPER_STATUS_NOMEM; 
+                               if (msg.data+1 < msg.data) 
+                                       break; 
                                path = malloc(msg.data+1); 
                                if (path != NULL) { 
                                        res = 
----- End forwarded message -----
Comment 1 Thomas Biege 2005-01-24 19:10:25 UTC
<!-- SBZ_reproduce  -->
Comment 2 Stanislav Brabec 2005-01-24 21:36:34 UTC
Comparing upper mentioned patch and CVS version, it seems, that both does the
same. Will apply upped mentioned one. The bug moved to evolution-data-server in
newer versions.
Comment 3 Stanislav Brabec 2005-01-24 21:41:38 UTC
There is a difference: version in CVS returns CAMEL_LOCK_HELPER_STATUS_PROTOCOL,
this one returns CAMEL_LOCK_HELPER_STATUS_NOMEM. Version in CVS may not work.

Because msg.data is declared as uint32, (msg.data+1 < msg.data) is true for
2^32, for CVS version, comparison is done against 0xffff.

Will apply CVS version.
Comment 4 Stanislav Brabec 2005-01-24 23:16:12 UTC
Fix submitted for:

evolution-data-server: STABLE, PLUS

evolution: 8.1, 8.2, 9.0, 9.1, 9.2, SLES9-SLD, SLES8-SLEC.
Comment 5 Thomas Biege 2005-01-25 01:16:09 UTC
Thanks. I'll do swamp and patchinfo files tomorrow. 
Comment 6 Thomas Biege 2005-01-25 01:22:21 UTC
Hm, looks like we don't have the app. installed setuid. 
Comment 7 Thomas Biege 2005-01-25 19:59:28 UTC
Comment 8 Thomas Biege 2005-01-25 21:05:09 UTC
`patchinfo-box.evolution' -> 
`patchinfo-box.evolution-data-server' -> 
`patchinfo-box92.evolution' -> 
`patchinfo-sld.evolution' -> 
`patchinfo-sld.evolution-data-server' -> 
`patchinfo-slec.evolution' -> 
Comment 9 Stanislav Brabec 2005-01-25 23:03:30 UTC
Please look again at package list: patchinfo-sld.evolution-data-server.

Patch for evolution-data-server was submitted only to STABLE and PLUS.
Comment 10 Thomas Biege 2005-01-26 00:16:29 UTC
removed /work/src/done/PATCHINFO/patchinfo-sld.evolution 
Comment 11 Marcus Meissner 2005-01-26 00:24:07 UTC
can you also submit packages for NLD-BETA (NLD SP1)?  
It has a changed evolution / evolution-data-server 
Comment 12 Michael Schröder 2005-01-26 00:27:35 UTC
Thomas, didn't you erase the wrong patchinfo?
Comment 13 Thomas Biege 2005-01-26 00:36:58 UTC
Stupid! I did so... 
removed /work/src/done/PATCHINFO/patchinfo-sld.evolution-data-server 
and put the other file back. :) 
Comment 14 Stanislav Brabec 2005-01-27 01:13:54 UTC
Fix submitted also for evolution NLD SP1.
Comment 15 Thomas Biege 2005-02-03 20:32:47 UTC
approved SLES8/9 and Box packages

I'll leave this bug open for NLD...
Comment 16 Marcus Meissner 2005-02-04 23:16:36 UTC
updates released everywhere, right? i do not see the NLD version anymore. 
NLD-SP1 will have it too. 
Comment 17 Stanislav Brabec 2005-02-04 23:26:42 UTC
I have submitted it for SLES9-SLD and later for SLES9-SLD-BETA.
Comment 18 Thomas Biege 2009-10-13 21:00:08 UTC
CVE-2005-0102: CVSS v2 Base Score: 7.2 (AV:L/AC:L/Au:N/C:C/I:C/A:C)