Evolution: User-assisted execution of arbitrary code
1.
Gentoo Linux Security Advisory
Version Information
| Advisory Reference |
GLSA 200806-06 / evolution |
| Release Date |
June 16, 2008 |
| Latest Revision |
June 16, 2008: 01 |
| Impact |
normal |
| Exploitable |
remote |
| Package |
Vulnerable versions |
Unaffected versions |
Architecture(s) |
| mail-client/evolution |
<
2.12.3-r2 |
>=
2.12.3-r2 |
All supported architectures
|
Related bugreports:
#223963
Synopsis
Multiple vulnerabilities in Evolution may allow for user-assisted execution
of arbitrary code.
2.
Impact Information
Background
Evolution is the mail client of the GNOME desktop environment.
Description
Alin Rad Pop (Secunia Research) reported two vulnerabilities in
Evolution:
-
A boundary error exists when parsing overly long timezone strings
contained within iCalendar attachments and when the ITip formatter is
disabled (CVE-2008-1108).
-
A boundary error exists when replying to an iCalendar request with an
overly long "DESCRIPTION" property while in calendar view
(CVE-2008-1109).
Impact
A remote attacker could entice a user to open a specially crafted
iCalendar attachment, resulting in the execution of arbitrary code with
the privileges of the user running Evolution.
3.
Resolution Information
Workaround
There is no known workaround at this time.
Resolution
All Evolution users should upgrade to the latest version:
Code Listing 3.1: Resolution |
# emerge --sync
# emerge --ask --oneshot --verbose ">=mail-client/evolution-2.12.3-r2"
|
4.
References
|
