Evolution 2.8.1 and earlier does not properly use the --status-fd argument when invoking GnuPG, which prevents Evolution from visually distinguishing between signed and unsigned portions of OpenPGP messages with multiple components, which allows remote attackers to forge the contents of a message without detection.
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
Debian | 12 | all | evolution | <= 3.46.4-2 | evolution_3.46.4-2_all.deb |
Debian | 11 | all | evolution | <= 3.38.3-1+deb11u2 | evolution_3.38.3-1+deb11u2_all.deb |
Debian | 10 | all | evolution | <= 3.30.5-1.1 | evolution_3.30.5-1.1_all.deb |
Debian | 999 | all | evolution | <= 3.52.1-4 | evolution_3.52.1-4_all.deb |
Debian | 13 | all | evolution | <= 3.52.1-4 | evolution_3.52.1-4_all.deb |