Bug 65116 – VUL-0: CVE-2005-0102: evolution: integer overflow in helper app

Bug 65116 - (CVE-2005-0102) VUL-0: CVE-2005-0102: evolution: integer overflow in helper app

(CVE-2005-0102)
Summary:	VUL-0: CVE-2005-0102: evolution: integer overflow in helper app

Status:	RESOLVED FIXED

Classification:	Novell Products
Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents
Version:	unspecified
Hardware:	All Linux

Priority:	P3 - Medium Severity: Normal
Target Milestone:	---
Assigned To:	Stanislav Brabec
QA Contact:	Security Team bot

URL:
Whiteboard:	CVE-2005-0102: CVSS v2 Base Score: 7....
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Create test case

Clone This Bug

Reported:	2005-01-24 19:10 UTC by Thomas Biege
Modified:	2021-10-27 15:41 UTC (History)
CC List:	3 users (show)

See Also:
Found By:	---
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Thomas Biege 2005-01-24 19:10:24 UTC

Hi, 
we received the following through vendor-sec. 

----- Forwarded message from Martin Schulze <joey@infodrom.org> ----- 

From: Martin Schulze <joey@infodrom.org> 
To: Free Software Distribution Vendors <vendor-sec@lst.de> 
User-Agent: Mutt/1.5.6+20040907i 
Subject: [vendor-sec] CAN-2005-0102: Arbitrary code execution in 
Evolution 
Errors-To: vendor-sec-admin@lst.de 
Date: Sun, 23 Jan 2005 11:18:45 +0100 

Max Vozeler discovered an integer overflow in the helper application 
camel-lock-helper which runs setuid root or setgid mail inside of 
Evolution, a free grouware suite.  A local attacker can cause the 
setuid root helper to execute arbitrary code with elevated privileges 
via a malicious POP server. 

This is public already. 

We tried to disclose this responsible with somebody from Novell who 
was also contacted by Max.  However, despite "We are reviewing the 
patch and the issue." last Tuesday the fix was committed publically 
and announced: 

Message by NotZed: 
http://lists.ximian.com/archives/public/evolution-patches/2005-January/008672.html 

CVS commit: 
http://cvs.gnome.org/viewcvs/evolution/camel/camel-lock-helper.c?rev=1.7&hideattic=0&view=log 

I'm sorry for this. 

We're going to fix this with the attached patch. 

Since this one is public already I don't want to wait too long with 
updates, so no or little coordination is possible.  We're probably 
going for Monday or Tuesday. 

Regards, 

        Joey 

-- 
GNU does not eliminate all the world's problems, only some of them. 
                                                -- The GNU Manifesto 

--- evolution-1.0.5.orig/camel/camel-lock-helper.c      2001-10-27 
18:59:27.000000000 +0200 
+++ evolution-1.0.5/camel/camel-lock-helper.c   2005-01-21 
16:57:44.000000000 +0100 
@@ -360,6 +360,8 @@ int main(int argc, char **argv) 
                        switch(msg.id) { 
                        case CAMEL_LOCK_HELPER_LOCK: 
                                res = CAMEL_LOCK_HELPER_STATUS_NOMEM; 
+                               if (msg.data+1 < msg.data) 
+                                       break; 
                                path = malloc(msg.data+1); 
                                if (path != NULL) { 
                                        res = 
CAMEL_LOCK_HELPER_STATUS_PROTOCOL; 

----- End forwarded message -----

Comment 1 Thomas Biege 2005-01-24 19:10:25 UTC

<!-- SBZ_reproduce  -->
.

Comment 2 Stanislav Brabec 2005-01-24 21:36:34 UTC

Comparing upper mentioned patch and CVS version, it seems, that both does the
same. Will apply upped mentioned one. The bug moved to evolution-data-server in
newer versions.

Comment 3 Stanislav Brabec 2005-01-24 21:41:38 UTC

There is a difference: version in CVS returns CAMEL_LOCK_HELPER_STATUS_PROTOCOL,
this one returns CAMEL_LOCK_HELPER_STATUS_NOMEM. Version in CVS may not work.

Because msg.data is declared as uint32, (msg.data+1 < msg.data) is true for
2^32, for CVS version, comparison is done against 0xffff.

Will apply CVS version.

Comment 4 Stanislav Brabec 2005-01-24 23:16:12 UTC

Fix submitted for:

evolution-data-server: STABLE, PLUS

evolution: 8.1, 8.2, 9.0, 9.1, 9.2, SLES9-SLD, SLES8-SLEC.

Comment 5 Thomas Biege 2005-01-25 01:16:09 UTC

Thanks. I'll do swamp and patchinfo files tomorrow.

Comment 6 Thomas Biege 2005-01-25 01:22:21 UTC

Hm, looks like we don't have the app. installed setuid.

Comment 7 Thomas Biege 2005-01-25 19:59:28 UTC

 SM-Tracker-216

Comment 8 Thomas Biege 2005-01-25 21:05:09 UTC

`patchinfo-box.evolution' -> 
`/work/src/done/PATCHINFO/patchinfo-box.evolution' 
`patchinfo-box.evolution-data-server' -> 
`/work/src/done/PATCHINFO/patchinfo-box.evolution-data-server' 
`patchinfo-box92.evolution' -> 
`/work/src/done/PATCHINFO/patchinfo-box92.evolution' 
`patchinfo-sld.evolution' -> 
`/work/src/done/PATCHINFO/patchinfo-sld.evolution' 
`patchinfo-sld.evolution-data-server' -> 
`/work/src/done/PATCHINFO/patchinfo-sld.evolution-data-server' 
`patchinfo-slec.evolution' -> 
`/work/src/done/PATCHINFO/patchinfo-slec.evolution'

Comment 9 Stanislav Brabec 2005-01-25 23:03:30 UTC

Please look again at package list: patchinfo-sld.evolution-data-server.

Patch for evolution-data-server was submitted only to STABLE and PLUS.

Comment 10 Thomas Biege 2005-01-26 00:16:29 UTC

removed /work/src/done/PATCHINFO/patchinfo-sld.evolution

Comment 11 Marcus Meissner 2005-01-26 00:24:07 UTC

can you also submit packages for NLD-BETA (NLD SP1)?  
 
It has a changed evolution / evolution-data-server

Comment 12 Michael Schröder 2005-01-26 00:27:35 UTC

Thomas, didn't you erase the wrong patchinfo?

Comment 13 Thomas Biege 2005-01-26 00:36:58 UTC

Stupid! I did so... 
 
removed /work/src/done/PATCHINFO/patchinfo-sld.evolution-data-server 
and put the other file back. :)

Comment 14 Stanislav Brabec 2005-01-27 01:13:54 UTC

Fix submitted also for evolution NLD SP1.

Comment 15 Thomas Biege 2005-02-03 20:32:47 UTC

approved SLES8/9 and Box packages

I'll leave this bug open for NLD...

Comment 16 Marcus Meissner 2005-02-04 23:16:36 UTC

updates released everywhere, right? i do not see the NLD version anymore. 
 
NLD-SP1 will have it too.

Comment 17 Stanislav Brabec 2005-02-04 23:26:42 UTC

I have submitted it for SLES9-SLD and later for SLES9-SLD-BETA.
See
/work/SRC/old-versions/9.1/SLD/all/evolution/evolution.changes
/work/SRC/old-versions/9.1/SLD-BETA/all/evolution/evolution.changes

Comment 18 Thomas Biege 2009-10-13 21:00:08 UTC

CVE-2005-0102: CVSS v2 Base Score: 7.2 (AV:L/AC:L/Au:N/C:C/I:C/A:C)