Gentoo FoundationGLSA-200806-06Evolution: User-assisted execution of arbitrary code
9.3 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:M/Au:N/C:C/I:C/A:C
0.165 Low
EPSS
Percentile
96.0%
Background
Evolution is the mail client of the GNOME desktop environment.
Description
Alin Rad Pop (Secunia Research) reported two vulnerabilities in Evolution:
- A boundary error exists when parsing overly long timezone strings contained within iCalendar attachments and when the ITip formatter is disabled (CVE-2008-1108).
- A boundary error exists when replying to an iCalendar request with an overly long “DESCRIPTION” property while in calendar view (CVE-2008-1109).
Impact
A remote attacker could entice a user to open a specially crafted iCalendar attachment, resulting in the execution of arbitrary code with the privileges of the user running Evolution.
Workaround
There is no known workaround at this time.
Resolution
All Evolution users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=mail-client/evolution-2.12.3-r2"
| OS | Version | Architecture | Package | Version | Filename |
|---|---|---|---|---|---|
| Gentoo | any | all | mail-client/evolution | < 2.12.3-r2 | UNKNOWN |
Related
9.3 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:M/Au:N/C:C/I:C/A:C
0.165 Low
EPSS
Percentile
96.0%