[Evolution-hackers] CVE-2011-3201 Issue in evolution

From: "Vibha Yadav" <yvibha suse com>
To: <evolution-hackers gnome org>
Subject: [Evolution-hackers] CVE-2011-3201 Issue in evolution
Date: Mon, 12 Sep 2011 00:40:31 -0600

Hi All,

I just came across the bug
https://bugzilla.redhat.com/show_bug.cgi?id=733504 , CVE-2011-3201
evolution: mailto: attachment parameter can lead to accidental data
exfiltration.

Going ahead with the blacklist approach in
https://bugzilla.redhat.com/show_bug.cgi?id=733504#c8, I am attaching a
basic patch.

Kindly provide your opinion about the solution and files to be
blacklisted.

I have following list of files to be blacklisted:

"/etc/passwd", "/etc/cipe/options", "/etc/exports", "/etc/gshadow",
"/etc/hosts.allow", "/etc/hosts.deny", "/etc/hosts.equiv",
"/etc/ipsec.secrets", "/etc/lilo.conf", "/etc/ppp/chap-secrets",
"/etc/ppp/pap-secrets", "/etc/samba/smbpasswd", "/etc/securetty",
"/etc/security/access.conf", "/etc/shadow", "/etc/slip/slip.passwd",
"/etc/smbpasswd", "/etc/snmp/snmpd.conf", "/etc/ssh/shosts.equiv",
"/etc/ssh", "/etc/sudoers", "/etc/tripwire", "/etc/vpnd/mysecret.key",
"/etc/vpnd/vpnd.lcl.key", "/etc/vpnd/", "/etc/vtund.conf",
".ICEauthority", ".Xauthority", ".aim/AIM.cfg", ".cvspass",
".fetchmailrc", ".gaimrc", ".gpg/", ".gnome_private/", ".gnupg/",
".micqrc", ".ncftp/firewall", ".nessus.keys", ".netrc",
".pgp/secring.pgp", ".pgp/", ".rhosts", ".shosts",
".silc/private_key.prv", ".ssh", ".vmware", ".vnc/passwd", ".xchat/",
"/root/.ICEauthority", "/root/.Xauthority", "/root/.aim/AIM.cfg",
"/root/.cvspass", "/root/.fetchmailrc", "/root/.gaimrc", "/root/.gpg/",
"/root/.gnome_private/", "/root/.gnupg/","/root/.micqrc",
"/root/.ncftp/firewall", "/root/.nessus.keys", "/root/.netrc",
"/root/.pgp/", "/root/.rhosts", "/root/.shosts",
"/root/.silc/private_key.prv", "/root/.ssh", "/root/.vmware/",
"/root/.vnc/passwd", "/root/.xchat/serverlist.conf",
"/root/.xchat/servers.conf", "/var/log/secure*", ".", ".."

diff --git a/composer/e-msg-composer.c b/composer/e-msg-composer.c
index 22245ea..2939b6a 100644
--- a/composer/e-msg-composer.c
+++ b/composer/e-msg-composer.c
@@ -3998,6 +3998,34 @@ merge_always_cc_and_bcc (EComposerHeaderTable *table,
 	merge_cc_bcc (addrv, bcc, to, *cc, *bcc);
 	e_destination_freev (addrv);
 }
+static const gchar *blacklisted_files [] = {"/etc/passwd", "/etc/cipe/options", "/etc/exports", "/etc/gshadow", "/etc/hosts.allow", "/etc/hosts.deny", 
+						"/etc/hosts.equiv", "/etc/ipsec.secrets", "/etc/lilo.conf", "/etc/ppp/chap-secrets", 
+						"/etc/ppp/pap-secrets", "/etc/samba/smbpasswd", "/etc/securetty", "/etc/security/access.conf",
+						"/etc/shadow", "/etc/slip/slip.passwd", "/etc/smbpasswd", "/etc/snmp/snmpd.conf", "/etc/ssh/shosts.equiv",
+						"/etc/ssh", "/etc/sudoers", "/etc/tripwire", "/etc/vpnd/mysecret.key", "/etc/vpnd/vpnd.lcl.key", "/etc/vpnd/",
+						"/etc/vtund.conf", ".ICEauthority", ".Xauthority", ".aim/AIM.cfg", ".cvspass", ".fetchmailrc", ".gaimrc",
+						".gpg/", ".gnome_private/", ".gnupg/", ".micqrc", ".ncftp/firewall", ".nessus.keys", ".netrc", 
+						".pgp/secring.pgp", ".pgp/", ".rhosts", ".shosts", ".silc/private_key.prv", ".ssh",
+						".vmware", ".vnc/passwd", ".xchat/", "/root/.ICEauthority", "/root/.Xauthority", "/root/.aim/AIM.cfg",
+						"/root/.cvspass", "/root/.fetchmailrc", "/root/.gaimrc", "/root/.gpg/", "/root/.gnome_private/", "/root/.gnupg/",
+						"/root/.micqrc", "/root/.ncftp/firewall", "/root/.nessus.keys", "/root/.netrc", "/root/.pgp/", "/root/.rhosts",
+						"/root/.shosts", "/root/.silc/private_key.prv", "/root/.ssh", "/root/.vmware/", "/root/.vnc/passwd",
+						"/root/.xchat/serverlist.conf", "/root/.xchat/servers.conf", "/var/log/secure*", ".", ".."};
+
+gboolean check_blacklisted_file (gchar *filename)
+{
+	gboolean blacklisted = FALSE;
+	gint i,len;
+
+	for(i = 0; !blacklisted && i < G_N_ELEMENTS(blacklisted_files); i++)
+	{
+		len = strlen(blacklisted_files[i]);
+		if(g_strstr_len(filename, len, blacklisted_files[i]))
+			blacklisted = TRUE;
+	}
+	
+	return blacklisted;
+}
 
 static void
 handle_mailto (EMsgComposer *composer,
@@ -4090,8 +4118,17 @@ handle_mailto (EMsgComposer *composer,
 			} else if (!g_ascii_strcasecmp (header, "attach") ||
 				   !g_ascii_strcasecmp (header, "attachment")) {
 				EAttachment *attachment;
+				gboolean check = FALSE;
+				GError *error = NULL;
 
 				camel_url_decode (content);
+				check = check_blacklisted_file(content);
+				if(check)
+				{
+					g_warning("Blacklisted File");
+					g_set_error(&error, CAMEL_ERROR, CAMEL_ERROR_GENERIC,
+							_("The attachment named %s is a hidden file and may contain sensitive data."), content);
+				}
 				if (g_ascii_strncasecmp (content, "file:", 5) == 0)
 					attachment = e_attachment_new_for_uri (content);
 				else

Follow-Ups:
- Re: [Evolution-hackers] CVE-2011-3201 Issue in evolution
  - From: Matthew Barnes

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]