Your message dated Wed, 01 Jun 2005 23:21:32 -0700
with message-id <[EMAIL PROTECTED]>
and subject line #279726: CAN-2003-0541: null pointer dereference security hole
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--------------------------------------
Received: (at submit) by bugs.debian.org; 4 Nov 2004 21:51:13 +0000
>From [EMAIL PROTECTED] Thu Nov 04 13:51:13 2004
Return-path: <[EMAIL PROTECTED]>
Received: from kitenet.net [64.62.161.42] (postfix)
by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
id 1CPpVh-0002B0-00; Thu, 04 Nov 2004 13:51:13 -0800
Received: from dragon.kitenet.net (unknown [66.168.94.144])
(using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
(Client CN "Joey Hess", Issuer "Joey Hess" (verified OK))
by kitenet.net (Postfix) with ESMTP id ABB1C17E95
for <[EMAIL PROTECTED]>; Thu, 4 Nov 2004 21:51:12 +0000 (GMT)
Received: by dragon.kitenet.net (Postfix, from userid 1000)
id CC5866E122; Thu, 4 Nov 2004 16:52:50 -0500 (EST)
Date: Thu, 4 Nov 2004 16:52:50 -0500
From: Joey Hess <[EMAIL PROTECTED]>
To: Debian Bug Tracking System <[EMAIL PROTECTED]>
Subject: CAN-2003-0541: null pointer dereference security hole
Message-ID: <[EMAIL PROTECTED]>
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha1;
protocol="application/pgp-signature"; boundary="1LKvkjL3sHcu1TtY"
Content-Disposition: inline
X-Reportbug-Version: 3.1
User-Agent: Mutt/1.5.6+20040907i
Delivered-To: [EMAIL PROTECTED]
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2004_03_25
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-3.0 required=4.0 tests=BAYES_00 autolearn=no
version=2.60-bugs.debian.org_2004_03_25
X-Spam-Level:
--1LKvkjL3sHcu1TtY
Content-Type: multipart/mixed; boundary="gKMricLos+KVdGMg"
Content-Disposition: inline
--gKMricLos+KVdGMg
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
Package: gtkhtml
Version: 1.0.4-5.1
Severity: grave
Tags: security patch
According to CAN-2003-0541, "gtkhtml before 1.1.10, as used in
Evolution, allows remote attackers to cause a denial of service (crash)
via a malformed message that causes a null pointer dereference."
There's some more info in the redhat advisory
(http://rhn.redhat.com/errata/RHSA-2003-264.html):
Versions of GtkHTML prior to 1.1.10 contain a bug when handling HTML
messages. Alan Cox discovered that certain malformed messages could cause
the Evolution mail component to crash due to a null pointer dereference in
the GtkHTML library. The Common Vulnerabilities and Exposures project
(cve.mitre.org) has assigned the name CAN-2003-0541 to this issue.
Users of Evolution are advised to upgrade to these erratum packages, which
contain GtkHTML version 1.1.10 correcting this issue.
Debian's evolution package is built with gtkhtml3.2, which is a much newer
version and not vulnerable. So evolution is safe, but there is always
the possibility that something else built against the old version of gtkhtml
could be exploited by this hole.
Of the software in Debian, only gnuvd-gnome is still linked to this library
and likely to feed untrusted html to gtkhtml. I have not checked to see if
the hole can be exploited using gnuvd-gnome.
I've attached a patch which I took from the Mandrake security advisory.
-- System Information:
Debian Release: 3.1
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: i386 (i686)
Kernel: Linux 2.4.27
Locale: LANG=3Den_US.UTF-8, LC_CTYPE=3Den_US.UTF-8 (charmap=3DUTF-8)
Versions of packages gtkhtml depends on:
ii bonobo 1.0.22-2.2 The GNOME Bonobo System.
ii gdk-imlib1 1.9.14-16 imaging library for use with g=
tk (
ii libart2 1.4.2-19 The GNOME canvas widget - runt=
ime=20
ii libaudiofile0 0.2.6-4 Open-source version of SGI's a=
udio
ii libbonobo2 1.0.22-2.2 The GNOME Bonobo library.
ii libc6 2.3.2.ds1-18 GNU C Library: Shared librarie=
s an
pn libcapplet1 Not found.
ii libdb3 3.2.9-20 Berkeley v3 Database Libraries=
[ru
ii libesd0 0.2.35-2 Enlightened Sound Daemon - Sha=
red=20
ii libfreetype6 2.1.7-2.2 FreeType 2 font engine, shared=
lib
ii libgal23 0.24-1.3 G App Libs (run time library)
ii libgdk-pixbuf-gnome2 0.22.0-7 The GNOME1 Canvas pixbuf libra=
ry
ii libgdk-pixbuf2 0.22.0-7 The GdkPixBuf image library, g=
tk+=20
ii libghttp1 1.0.9-15 original GNOME HTTP client lib=
rary
ii libglade-gnome0 1:0.17-3 Library to load .glade files a=
t ru
ii libglade0 1:0.17-3 Library to load .glade files a=
t ru
ii libglib1.2 1.2.10-9 The GLib library of C routines
ii libgnome32 1.4.2-19 The GNOME libraries
ii libgnomeprint15 0.37-5 The GNOME Print architecture -=
run
ii libgnomesupport0 1.4.2-19 The GNOME libraries (Support l=
ibra
ii libgnomeui32 1.4.2-19 The GNOME libraries (User Inte=
rfac
ii libgnorba27 1.4.2-19 GNOME CORBA services
ii libgtk1.2 1.2.10-17 The GIMP Toolkit set of widget=
s fo
pn libgtkhtml-data Not found.
ii libgtkhtml20 1.0.4-6.1 HTML rendering/editing library=
- r
ii liboaf0 0.6.10-3 The GNOME Object Activation Fr=
amew
ii liborbit0 0.5.17-9 Libraries for ORBit - a CORBA =
ORB
ii libpopt0 1.7-5 lib for parsing cmdline parame=
ters
ii libwrap0 7.6.dbs-6 Wietse Venema's TCP wrappers l=
ibra
ii libxml1 1:1.8.17-9 GNOME XML library
ii oaf 0.6.10-3 The GNOME Object Activation Fr=
amew
ii xlibs 4.3.0.dfsg.1-8 X Window System client librari=
es m
ii zlib1g 1:1.2.2-3 compression library - runtime
--=20
see shy jo
--gKMricLos+KVdGMg
Content-Type: text/plain; charset=us-ascii
Content-Disposition: attachment; filename="gtkhtml-1.0.2-textslave.patch"
Content-Transfer-Encoding: quoted-printable
--- gtkhtml-1.0.2/src/htmltextslave.c.textslave 2003-08-20 18:51:52.0000000=
00 -0400
+++ gtkhtml-1.0.2/src/htmltextslave.c 2003-08-20 18:52:32.000000000 -0400
@@ -348,12 +348,13 @@
=20
sep =3D begin =3D html_text_get_text (text, slave->posStart);
=20
- while (sep
+ while (sep && *sep=20
&& widthLeft >=3D get_words_width (text, painter,
slave->start_wor=
d, words + 1)
+ (slave->start_word + words + 1 =3D=3D text->words ?
get_next_nb_=
width (slave, painter) : 0)) {
words ++;
lsep =3D sep;
- sep =3D strchr (lsep + (words > 1 ? 1 : 0), ' ');
+ if (sep)
+ sep =3D strchr (lsep + (words > 1 ? 1 : 0), ' ');
pos =3D sep ? g_utf8_pointer_to_offset (begin, sep) :
g_utf8_strlen (=
begin, -1);
if (words + slave->start_word >=3D text->words)
break;
--gKMricLos+KVdGMg--
--1LKvkjL3sHcu1TtY
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)
iD8DBQFBiqSwd8HHehbQuO8RAiP7AJ4q+cT6bVZZ0hAhAsLcq3XGPiBzzgCeLb1f
hdBF9E1PBJTa/ovQ/VsTcAw=
=2zGi
-----END PGP SIGNATURE-----
--1LKvkjL3sHcu1TtY--
---------------------------------------
Received: (at 279726-done) by bugs.debian.org; 2 Jun 2005 06:21:33 +0000
>From [EMAIL PROTECTED] Wed Jun 01 23:21:33 2005
Return-path: <[EMAIL PROTECTED]>
Received: from vp085189.reshsg.uci.edu (becket.becket.net) [128.195.85.189]
by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
id 1Ddj5B-0005CP-00; Wed, 01 Jun 2005 23:21:33 -0700
Received: from tb by becket.becket.net with local (Exim 4.50)
id 1Ddj5A-0007pH-Sk; Wed, 01 Jun 2005 23:21:32 -0700
To: [EMAIL PROTECTED], [EMAIL PROTECTED]
Subject: #279726: CAN-2003-0541: null pointer dereference security hole
From: Thomas Bushnell BSG <[EMAIL PROTECTED]>
X-Reply-Permission: Posted or emailed replies to this message constitute
permission for an emailed response.
X-PGP-Fingerprint: 1F0A1E51 63 28 EB DA E6 44 E5 5E EC F3 04 26 4E BF 1A
92
X-Tom-Swiftie: "My lenses will stay perfectly clear," Tom said
optimistically
Date: Wed, 01 Jun 2005 23:21:32 -0700
Message-ID: <[EMAIL PROTECTED]>
User-Agent: Gnus/5.1007 (Gnus v5.10.7) Emacs/21.4 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Delivered-To: [EMAIL PROTECTED]
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-3.0 required=4.0 tests=BAYES_00 autolearn=no
version=2.60-bugs.debian.org_2005_01_02
X-Spam-Level:
This bug (long fixed in unstable) is now fixed in stable, as of Debian
3.0 release 6, in gtkhtml-1.0.2-1.woody1.
Thomas
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
