Evolution Integer Overflow in camel-lock-helper May Let Local and Remote Users Execute Arbitrary Code
|
|
SecurityTracker Alert ID: 1012981
|
|
SecurityTracker URL: http://securitytracker.com/id?1012981
|
|
CVE Reference: CAN-2005-0102
(Links to External Site)
|
Date: Jan 25 2005
|
Impact: Execution of arbitrary code via local system, Execution of arbitrary code via network, Root access via local system, Root access via network, User access via local system, User access via network
|
Fix Available: Yes
Vendor Confirmed: Yes
|
Version(s): 2.0.3 and prior versions
|
Description: An integer overflow vulnerability was reported in Evolution in camel-lock-helper. A remote mail server may may be able to execute arbitrary code on a connected system. A local user can execute arbitrary code with elevated privileges.
The flaw resides in 'camel-lock-helper.c', where a user-supplied length value is not properly validated. A user can supply a value
of '-1' to cause a zero byte buffer to be allocated and then overflowed. A remote POP3 server can supply a specially crafted response
to a connected system to execute arbitrary code on the target system. Also, a local user can invoke Evolution to execute arbitrary
code with elevated privileges.
On some systems, this utility is configured with set group id (setgid) 'mail' group privileges
and on other systems it is configured with set user id (setuid) 'root' user privileges.
Max Vozeler is credited with discovering
this flaw.
|
Impact: A remote POP3 mail server may be able to execute arbitrary code on the connected system.
A local user can execute arbitrary code
on the target system.
The code may run with 'mail' group privileges or 'root' user privileges, depending on the system configuration.
|
Solution: A fix is available via CVS:
http://cvs.gnome.org/viewcvs/evolution/camel/camel-lock-helper.c?rev=1.7&hideattic=0&view=log
|
Vendor URL: www.gnome.org/projects/evolution/ (Links to External Site)
|
Cause: Boundary error
|
Underlying OS: Linux (Any), UNIX (Any)
|
|
Message History:
This archive entry has one or more follow-up message(s) listed below.
|
Source Message Contents
|
Date: Mon, 24 Jan 2005 21:13:54 -0500
Subject: [none]
|
CVE: CAN-2005-0102
An integer overflow vulnerability was reported in Evolution in camel-lock-helper. A
remote POP3 server may be able to execute arbitrary code on the target system when the
target system connects to the malicious. A local user can also execute arbitrary code
with elevated privileges.
The flaw resides in 'camel-lock-helper.c', where a user-supplied length value is not
properly validated. A user can supply a value of '-1' to cause a zero byte buffer to
be allocated and then overflowed.
On some systems, this utility is configured with set group id (setgid) 'mail' group
privileges and on other systems is is configured with set user id (setuid) 'root' user
privileges.
Max Vozeler is credited with discovering this flaw.
A fix is available via CVS:
http://cvs.gnome.org/viewcvs/evolution/camel/camel-lock-helper.c?rev=1.7&hideattic=0&view=log
|
|
