Moritz Muehlenhoff wrote: > Dear security team, > so far there hasn't been a security update for the latest evolution > vulnerabilities. (CVE-2005-2549/CVE-2005-2550) > I've attached patches for Woody and Sarge. The Sarge fixes are > straightforward, > but some comments on Woody, relative to the patch hunks from the Sarge fix: > - accum_attribute() isn't present in Woody, so hunk 1-3 are void. > - the vulnerable code from e-cal-component-preview.c isn't present either. > - the vulnerable code from e-calendar-table.c and e-calendar-view.c is > contained > in Woody, although in a different place. This is exploitable as well, have a > look at the description of the function that feeds data into ical_string: > | * cal-client/cal-client.c (cal_client_get_component_as_string): new > | function to return a complete VCALENDAR string containing a VEVENT > | or VTODO with all the VTIMEZONEs it uses.
Please go ahead. Regards, Joey > Cheers, > Moritz > diff -Naur evolution-2.0.4.orig/addressbook/gui/widgets/eab-contact-display.c > evolution-2.0.4/addressbook/gui/widgets/eab-contact-display.c > --- evolution-2.0.4.orig/addressbook/gui/widgets/eab-contact-display.c > Mon Feb 14 17:09:03 2005 > +++ evolution-2.0.4/addressbook/gui/widgets/eab-contact-display.c Fri Nov > 25 16:50:43 2005 > @@ -338,7 +338,7 @@ > accum_attribute (accum, contact, _("Yahoo"), E_CONTACT_IM_YAHOO_HOME_1, > YAHOO_ICON, 0); > > if (accum->len > 0) > - gtk_html_stream_printf (html_stream, accum->str); > + gtk_html_stream_printf (html_stream, "%s", accum->str); > > end_block (html_stream); > > @@ -353,7 +353,7 @@ > > if (accum->len > 0) { > start_block (html_stream, _("work")); > - gtk_html_stream_printf (html_stream, accum->str); > + gtk_html_stream_printf (html_stream, "%s", accum->str); > end_block (html_stream); > } > > @@ -368,7 +368,7 @@ > > if (accum->len > 0) { > start_block (html_stream, _("personal")); > - gtk_html_stream_printf (html_stream, accum->str); > + gtk_html_stream_printf (html_stream, "%s", accum->str); > end_block (html_stream); > } > > diff -Naur evolution-2.0.4.orig/calendar/gui/e-cal-component-preview.c > evolution-2.0.4/calendar/gui/e-cal-component-preview.c > --- evolution-2.0.4.orig/calendar/gui/e-cal-component-preview.c Sun Apr > 18 20:01:19 2004 > +++ evolution-2.0.4/calendar/gui/e-cal-component-preview.c Fri Nov 25 > 16:50:43 2005 > @@ -285,7 +285,7 @@ > str = g_string_append_c (str, > text.value[i]); > } > > - gtk_html_stream_printf (stream, str->str); > + gtk_html_stream_printf (stream, "%s", str->str); > g_string_free (str, TRUE); > } > > diff -Naur evolution-2.0.4.orig/calendar/gui/e-calendar-table.c > evolution-2.0.4/calendar/gui/e-calendar-table.c > --- evolution-2.0.4.orig/calendar/gui/e-calendar-table.c Fri Sep 24 > 17:49:27 2004 > +++ evolution-2.0.4/calendar/gui/e-calendar-table.c Fri Nov 25 16:50:43 2005 > @@ -1212,7 +1212,7 @@ > return; > } > > - fprintf (file, ical_string); > + fprintf (file, "%s", ical_string); > g_free (ical_string); > fclose (file); > } > diff -Naur evolution-2.0.4.orig/calendar/gui/e-calendar-view.c > evolution-2.0.4/calendar/gui/e-calendar-view.c > --- evolution-2.0.4.orig/calendar/gui/e-calendar-view.c Mon Feb 14 > 17:09:04 2005 > +++ evolution-2.0.4/calendar/gui/e-calendar-view.c Fri Nov 25 16:50:43 2005 > @@ -1074,7 +1074,7 @@ > return; > } > > - fprintf (file, ical_string); > + fprintf (file, "%s", ical_string); > g_free (ical_string); > fclose (file); > > diff -Naur evolution-1.0.5.orig/calendar/gui/dialogs/comp-editor.c > evolution-1.0.5/calendar/gui/dialogs/comp-editor.c > --- evolution-1.0.5.orig/calendar/gui/dialogs/comp-editor.c 2002-02-19 > 16:33:02.000000000 +0100 > +++ evolution-1.0.5/calendar/gui/dialogs/comp-editor.c 2005-12-01 > 15:01:23.000000000 +0100 > @@ -1088,7 +1088,7 @@ > return; > } > > - fprintf (file, ical_string); > + fprintf (file, "%s", ical_string); > g_free (ical_string); > fclose (file); > -- Reading is a lost art nowadays. -- Michael Weber Please always Cc to me when replying to me on the lists. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]