[Evolution] Bug#699925: evolution-data-server: EBookBackendSqliteDB doesn’t escape SQL strings

Paul Menzel pm.debian at googlemail.com
Wed Feb 6 20:53:55 UTC 2013 

Package: evolution-data-server
Version: 3.4.4-1
Severity: important
Tags: upstream fixed-upstream patch
Control: forwarded -1 https://bugzilla.gnome.org/show_bug.cgi?id=677871
Control: found -1 3.1.2-1 3.2.1-1
Control: fixed -1 3.5.92-1 3.6.0-1
Control: affects -1 evolution

Dear Debian folks,


I am assigning this to the package `evolution-data-server` despite the
more correct packages being `libedata-book*`.

Mathias Hasselmann <mathias at openismus.com> from Openismus found out that
the function `e_book_client_get_contacts_uids()` does not escape single
quotes and therefore might allow SQL injection attacks against the
summary database [1].

No test case is provided though and no official security announcement
was made. I am not sure if the Debian Security Team needs to be notified
and doing so just in case.

The code was introduced in the following commit

        commit 1c45fab30784fa1e870620585d1550539d2c978a
        Author: Chenthill Palanisamy <pchenthill at novell.com>
        Date:   Mon Jun 13 16:20:44 2011 +0530

            EBookBackendSqliteDB, e-sqlite3-vfs.[ch]: Add sqlitedb cache for addressbook. It can
            be used as summary+cache.

         addressbook/libedata-book/Makefile.am                    |   12 +
         addressbook/libedata-book/e-book-backend-sqlitedb-test.c |  214 ++++++++++
         addressbook/libedata-book/e-book-backend-sqlitedb.c      | 1687 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
         addressbook/libedata-book/e-book-backend-sqlitedb.h      |  190 +++++++++
         configure.ac                                             |    5 +
         libebackend/Makefile.am                                  |    4 +
         libebackend/e-sqlite3-vfs.c                              |  338 +++++++++++++++
         libebackend/e-sqlite3-vfs.h                              |   26 ++
         8 files changed, 2476 insertions(+)

which is present since version 3.1.2 (tag EVOLUTION_DATA_SERVER_3_1_2
according to `git tag --contains 1c45fab3`).

Nobody has checked yet, if similar code makes the E-D-S version 2.30.3-2
+squeeze1 in Squeeze vulnerable.

Mathias also attached several patches to the upstream report fixing this
problem. Milan Crha <crha at redhat.com> squashed those and committed the
fix [2] with the following commit [3].

        commit 5cff7e6a8ad794c0831f2012652a0fd2c1f8842e
        Author: Mathias Hasselmann <mathias at openismus.com>
        Date:   Wed Sep 12 15:24:11 2012 +0200

            Bug #677871 - EBookBackendSqliteDB - Escape SQL strings


Thanks,

Paul


[1] https://bugzilla.gnome.org/show_bug.cgi?id=677871
[2] https://bugzilla.gnome.org/show_bug.cgi?id=677871#c8
[3] http://git.gnome.org/browse/evolution-data-server/commit/?id=5cff7e6a8ad794c0831f2012652a0fd2c1f8842e

-- System Information:
Debian Release: 7.0
  APT prefers unstable
  APT policy: (500, 'unstable'), (500, 'testing'), (500, 'stable'), (1, 'experimental')
Architecture: i386 (i686)

Kernel: Linux 3.2.0-4-686-pae (SMP w/2 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages evolution-data-server depends on:
ii  evolution-data-server-common  3.4.4-1
ii  gconf-service                 3.2.5-1.1
ii  libatk1.0-0                   2.4.0-2
ii  libc6                         2.13-38
ii  libcairo-gobject2             1.12.2-3
ii  libcairo2                     1.12.2-3
ii  libcamel-1.2-33               3.4.4-1
ii  libcomerr2                    1.42.5-1
ii  libdb5.1                      5.1.29-5
ii  libdbus-glib-1-2              0.100-1
ii  libebackend-1.2-2             3.4.4-1
ii  libebook-1.2-13               3.4.4-1
ii  libecal-1.2-11                3.4.4-1
ii  libedata-book-1.2-13          3.4.4-1
ii  libedata-cal-1.2-15           3.4.4-1
ii  libedataserver-1.2-16         3.4.4-1
ii  libgconf-2-4                  3.2.5-1.1
ii  libgdata13                    0.12.0-1
ii  libgdk-pixbuf2.0-0            2.26.1-1
ii  libglib2.0-0                  2.33.12+really2.32.4-5
ii  libgoa-1.0-0                  3.4.2-1
ii  libgssapi-krb5-2              1.10.1+dfsg-3
ii  libgtk-3-0                    3.4.2-6
ii  libgweather-3-0               3.4.1-1+build1
ii  libical0                      0.48-2
ii  libk5crypto3                  1.10.1+dfsg-3
ii  libkrb5-3                     1.10.1+dfsg-3
ii  libldap-2.4-2                 2.4.31-1
ii  libnspr4                      2:4.9.4-2
ii  libnspr4-0d                   2:4.9.4-2
ii  libnss3                       2:3.14.1.with.ckbi.1.93-1
ii  libnss3-1d                    2:3.14.1.with.ckbi.1.93-1
ii  liboauth0                     0.9.4-3.1
ii  libpango1.0-0                 1.30.0-1
ii  libsoup2.4-1                  2.38.1-2
ii  libsqlite3-0                  3.7.15.2-1
ii  libxml2                       2.8.0+dfsg1-7
ii  zlib1g                        1:1.2.7.dfsg-13

evolution-data-server recommends no packages.

Versions of packages evolution-data-server suggests:
ii  evolution                  3.4.4-1
ii  evolution-data-server-dbg  3.4.4-1

-- no debconf information
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part
URL: <http://lists.alioth.debian.org/pipermail/pkg-evolution-maintainers/attachments/20130206/77956a2f/attachment.pgp>

More information about the Pkg-evolution-maintainers mailing list