Lucene search

K
certCERTVU:512491
HistoryMar 07, 2008 - 12:00 a.m.

GNOME Evolution format string vulnerability

2008-03-0700:00:00
www.kb.cert.org
11

6.8 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

0.435 Medium

EPSS

Percentile

97.4%

Overview

The GNOME Evolution mail client contains a format string vulnerability that may allow an attacker to execute code.

Description

Evolution is the default mail client for the GNOME desktop environment. Evolution supports both GPG and S/MIME mail encryption.

From Secunia Advisory SA29057:
_A format string error in the β€œemf_multipart_encrypted()” function in mail/em-format.c when displaying data (e.g. the β€œVersion:” field) from an encrypted e-mail message can be exploited to execute arbitrary code via a specially crafted e-mail message.

Successful exploitation requires that the user selects a malicious e-mail message._


Impact

A remote, unauthenticated attacker may be able to execute arbitrary code or cause Evolution to crash.


Solution

Upgrade

The Evolution team has released a patch to address this issue. See GNOME Bug 520745 for more information. Users and administrators who do not compile Evolution from source should obtain fixed software from their operating system vendor.


Vendor Information

512491

Filter by status: All Affected Not Affected Unknown

Filter by content: __ Additional information available

__ Sort by: Status Alphabetical

Expand all

Javascript is disabled. Click here to view vendors.

Debian GNU/Linux Affected

Updated: March 07, 2008

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

GNOME __ Affected

Updated: March 07, 2008

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

See <http://bugzilla.gnome.org/show_bug.cgi?id=520745&gt; for more details.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23512491 Feedback>).

Gentoo Linux __ Affected

Updated: March 07, 2008

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

See <http://www.gentoo.org/security/en/glsa/glsa-200803-12.xml&gt; for more details.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23512491 Feedback>).

Red Hat, Inc. __ Affected

Updated: March 07, 2008

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

See <https://rhn.redhat.com/errata/RHSA-2008-0177.html&gt; for more information.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23512491 Feedback>).

Ubuntu __ Affected

Updated: March 07, 2008

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

See <http://www.ubuntu.com/usn/usn-583-1&gt; for more information.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23512491 Feedback>).

CVSS Metrics

Group Score Vector
Base
Temporal
Environmental

References

Acknowledgements

This vulnerability was made public by Ulf Harnhammar of Secunia Research.

This document was written by Ryan Giobbi.

Other Information

CVE IDs: CVE-2008-0072
Severity Metric: 1.80 Date Public:

6.8 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

0.435 Medium

EPSS

Percentile

97.4%