The Evolution maintainer announced a new release. This time the release fixes a significant security problem.
The problem is a remotely exploitable one. I strongly suggest everybody updating his or her Evolution setup. Even if your Evolution package is incredibly old. I think nearly all Evolution’s versions are affected.
Evolution-data-server: ===================== ... #447414: Security Fix - negative index of an array (Philip Van Hoof)
Philip,
I’m not one to complain quickly, and I’m not a security expert, and I’ve met you in person and I like you for your energy and drive and your ability to get stuff done. But I’m going to make some wild guesses.
* Saying that everyone should update because you fixed a security bug without explanation what it is is irresponsible. Tell us how we could be affected.
* Disclosing this security bug at the same time the source maintainer releases is irresponsible. Leave people some time.
* Not leaving vendors time to update packages is irresponsible.
Thanks for leaving our desktop open for exploitation.
Thomas
You are affected if somebody can influence your IMAP connection (which is not very hard, for example using a man in the middle attack or by tricking you into using their IMAP server).
If the IMAP sends negative sequence numbers, then those will be accepted as the index of an array (a pointer array). The UID that the IMAP server also sends will be written to that location.
With some calculating per architecture, you can probably figure out what negative value you should give for what nth sequence, and how much bytes to write to get at the instruction pointer, point it to the UID field and execute the code.
ps. The coders already had three months now. I talked with (as far as I know) two people who work(ed) on Evolution about this. This is most certainly not a new bug (although I only recently disclosed it on the GNOME Bugzilla, I did that — after three or more months — because I was not very satisfied with the speed at which the issue was being handled).
I discussed this issue in public on the Evolution IRC channel (actually, that was by accident as I should have done this discussion in private with an Evolution developer, I know). This means that a cracker who read this, might have coded-up an exploit already. I also fixed this very early into Tinymail’s camel-lite. A cracker who follows up on both, could have seen this security problem a few months ago too. The security problem is also not very hard to find, who knows how many crackers already know about it?
ps. Packagers and vendors should simply hurry up, as this bug is now public in the Bugzilla too. Not only that, the Evolution maintainer has announced the fix, marked it in his announcement as a “Security fix” and has put the bug number at the same line, making it easy to find my patch –> making it easy to know how to create the exploit.
I’m confident that it wont take long before proof of concept exploits will be made and tried on people.
There’s no more time to loose for the packagers and vendors. New packages must happen, now. A blog item isn’t going to speed up the need for it, just the fact that packages ‘will’ be available faster. This means that it’s better for the “users” (because they will have security updates faster).
Short: It’s my opinion that I waited long enough (three months) to put it in the Bugzilla, and that I waited long enough (until after the public announcement of the Evolution release itself) for making any other-than-Bugzilla public statements about it.
I don’t care how long you waited to do stuff. You have a responsibility to the users and not to the people before that.
Your users cannot install the fix until the distributors put out the packages. Distributors cannot put out the fix until upstream releases or you tell them about a patch.
If your argument is “I waited long enough on the evo guys to do the right thing so screw them”, you’ve screwed your users, not the evo team.
Bottom line – don’t screw the users.
Thomas, you should first read what I wrote before making dumb conclusions that I already falsified before you made the conclusion.
I clearly wrote that it’s better for the user that packagers are urged to create new packages BECAUSE the bug is now multiple months old, BECAUSE the bug was widely known already, BECAUSE a cracker who follows up on Tinymail and Evolution can compare differences (which ISN’T a silly idea if you are out to find security problems in an extremely popular product, Evolution), BECAUSE I discussed this in public on IRC (which was my ONLY mistake), BECAUSE it’s an extremely severe problem (remotely executing code), BECAUSE …
How many reasoning do I have to give? Still you make your argument that STILL it’s not in the interest of the users that packagers are urged to be fast: In the end, you ask me NOT to urge the packagers to be fast. Right?
Finally, your argument is false because the issue had been publicized FOUR TIMES in FOUR DIFFERENT WAYS before I publicized it on my blog.
One of the ways was the public release announcement of the new Evolution version, which many many people read. Including people who are out to find security problems. In that announcement the word “Security fix” was even put in front of the bug number which contained my patch.
Really, Thomas, do your research before making such conclusions. At least do some small amount of research. Because it really makes no sense at all.
Note that I tried very, very extremely hard to find another word for “dumb”. But it really is what I name it after: a dumb argument. Really do the minimal research and you too will see this.
I’m used to far more intelligent argumentation coming from you, Thomas. I’m indeed confident that this was by mistake, or something.