Headline
CVE-2007-0010: 218932 – CVE-2007-0010 GdbPixbufLoader fails to handle invalid input from Evolution correctly
The GdkPixbufLoader function in GIMP ToolKit (GTK+) in GTK 2 (gtk2) before 2.4.13 allows context-dependent attackers to cause a denial of service (crash) via a malformed image file.
Description Lubomir Kundrak 2006-12-08 15:39:30 UTC
+++ This bug was initially created as a clone of Bug #218755 +++
Description of problem:
evolution crashes on the spam mail I’ll attach as mbox; the crash may well turn out to be a security issue in itself. But just crashing is serious since the next time evo opens it immediately goes back to the same mail and crashes again, so a non-expert user cannot recover from this.
I suspect RHEL5 is affected too
– Additional comment from [email protected] on 2006-12-07 06:07 EST – Created an attachment (id=143043) mbox with the crashing mail
– Additional comment from [email protected] on 2006-12-08 10:08 EST – The file “navigable.gif” is incorrectly encoded. I think evolution should not feed underlying gdk with the corrupted data, but I doubt an assertion failure there is the right way to handle the faulty gif.
When you extract the file (with reformime or evolution) and either try to view it with firefox or gqview or embed it in another email message and open in evolution it is correctly reported as being broken.
Moreover there’s some interesting stuff in the broken base64 data: for example the IN-SB-8XX-PLATFORMS string encoded there. How could it happen to came there? Maybe this message was meant to exploit some windows software or encoded by a horribly broken software? I got no smarter after disassembling the 8bit parts of the part.
– Additional comment from [email protected] on 2006-12-08 10:18 EST – Created an attachment (id=143153) Backtrace from FC6
evolution-2.8.2.1-2.fc6 gtk2-2.10.4-6.fc6
Comment 2 Matthias Clasen 2007-01-10 13:45:57 UTC
Backported fix is in gtk2-2.4.13-20
Comment 3 Lubomir Kundrak 2007-01-10 15:16:05 UTC
Evolution in RHEL-3 doesn’t crash, so the issue is virtually harmless there – we won’t issue an update for RHEL-3.
Comment 8 Red Hat Bugzilla 2007-01-24 16:09:48 UTC
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on the solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you.
http://rhn.redhat.com/errata/RHSA-2007-0019.html