Pageviews

Friday, 15 June 2018

bufferoverflow() in evolution - CVE-2018-12422

Hi Internet,

#ShortPost

Evolution is a personal information management application that provides integrated mail, calendaring and address book functionality.

While going through the source code of GNOME evolution we observed that,

`addressbook/backends/ldap/e-book-backend-ldap.c` in Evolution-Data-Server in GNOME Evolution through 3.29.2 might allow attackers to trigger a Buffer Overflow via a long query that is processed by the `strcat ` function, CVE-2018-12422 was assigned to this issue.

We reported this to GNOME Evolution team and a patch was pushed for same, below code for your reference.

		if (!strcmp (propname, "x-evolution-any-field")) {
			gint i;
			gint query_length;
			gchar *big_query;
			GString *big_query;
			gchar *match_str;
			if (one_star) {
				g_free (str);

			match_str = g_strdup_printf ("=*%s*)", str);

			query_length = 3; /* strlen ("(|") + strlen (")") */

			for (i = 0; i < G_N_ELEMENTS (prop_info); i++) {
				query_length += 1 /* strlen ("(") */ + strlen (prop_info[i].ldap_attr) + strlen (match_str);
			}

			big_query = g_malloc0 (query_length + 1);
			strcat (big_query, "(|");
			big_query = g_string_sized_new (G_N_ELEMENTS (prop_info) * 7);
			g_string_append (big_query, "(|");
			for (i = 0; i < G_N_ELEMENTS (prop_info); i++) {
				if ((prop_info[i].prop_type & PROP_TYPE_STRING) != 0 &&
				    !(prop_info[i].prop_type & PROP_WRITE_ONLY) &&
				     !(prop_info[i].prop_type & PROP_EVOLVE)) &&
				    (ldap_data->bl->priv->calEntrySupported ||
				     !(prop_info[i].prop_type & PROP_CALENTRY))) {
					strcat (big_query, "(");
					strcat (big_query, prop_info[i].ldap_attr);
					strcat (big_query, match_str);
					g_string_append (big_query, "(");
					g_string_append (big_query, prop_info[i].ldap_attr);
					g_string_append (big_query, match_str);
				}
			}
			strcat (big_query, ")");
			g_string_append (big_query, ")");

			ldap_data->list = g_list_prepend (ldap_data->list, big_query);
			ldap_data->list = g_list_prepend (ldap_data->list, g_string_free (big_query, FALSE));

			g_free (match_str);
		}

		if (!strcmp (propname, "x-evolution-any-field")) {
			gint i;
			gint query_length;
			gchar *big_query;
			GString *big_query;
			gchar *match_str;

			match_str = g_strdup ("=*)");

			query_length = 3; /* strlen ("(|") + strlen (")") */

			for (i = 0; i < G_N_ELEMENTS (prop_info); i++) {
				query_length += 1 /* strlen ("(") */ + strlen (prop_info[i].ldap_attr) + strlen (match_str);
			}

			big_query = g_malloc0 (query_length + 1);
			strcat (big_query, "(|");
			big_query = g_string_sized_new (G_N_ELEMENTS (prop_info) * 7);
			g_string_append (big_query, "(|");
			for (i = 0; i < G_N_ELEMENTS (prop_info); i++) {
				if (!(prop_info[i].prop_type & PROP_WRITE_ONLY) &&
				    (ldap_data->bl->priv->evolutionPersonSupported ||
				     !(prop_info[i].prop_type & PROP_EVOLVE)) &&
				    (ldap_data->bl->priv->calEntrySupported ||
				     !(prop_info[i].prop_type & PROP_CALENTRY))) {
					strcat (big_query, "(");
					strcat (big_query, prop_info[i].ldap_attr);
					strcat (big_query, match_str);
					g_string_append (big_query, "(");
					g_string_append (big_query, prop_info[i].ldap_attr);
					g_string_append (big_query, match_str);
				}
			}
			strcat (big_query, ")");
			g_string_append (big_query, ")");

			ldap_data->list = g_list_prepend (ldap_data->list, big_query);
			ldap_data->list = g_list_prepend (ldap_data->list, g_string_free (big_query, FALSE));

			g_free (match_str);
		}

Source : https://gitlab.gnome.org/GNOME/evolution-data-server/commit/34bad61738e2127736947ac50e0c7969cc944972?view=inline

Mention's:
A shoutout to Zubin and Hardik we work together to find security bugs, Hope you like the read.


Regards
Dhiraj

No comments:

Post a Comment