blob: 9bb574cb59127663f32d48daf66e36bc8bab508e [file] [log] [blame]
<?xml version="1.0" encoding="utf-8"?>
<glsa id="200806-06">
<title>Evolution: User-assisted execution of arbitrary code</title>
Multiple vulnerabilities in Evolution may allow for user-assisted execution
of arbitrary code.
<product type="ebuild">evolution</product>
<announced>June 16, 2008</announced>
<revised>June 16, 2008: 01</revised>
<package name="mail-client/evolution" auto="yes" arch="*">
<unaffected range="ge">2.12.3-r2</unaffected>
<vulnerable range="lt">2.12.3-r2</vulnerable>
Evolution is the mail client of the GNOME desktop environment.
Alin Rad Pop (Secunia Research) reported two vulnerabilities in
A boundary error exists when parsing overly long timezone strings
contained within iCalendar attachments and when the ITip formatter is
disabled (CVE-2008-1108).</li>
A boundary error exists when replying to an iCalendar request with an
overly long "DESCRIPTION" property while in calendar view
<impact type="normal">
A remote attacker could entice a user to open a specially crafted
iCalendar attachment, resulting in the execution of arbitrary code with
the privileges of the user running Evolution.
There is no known workaround at this time.
All Evolution users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose &quot;&gt;=mail-client/evolution-2.12.3-r2&quot;</code>
<uri link="">CVE-2008-1108</uri>
<uri link="">CVE-2008-1109</uri>
<metadata tag="requester" timestamp="Tue, 03 Jun 2008 15:11:52 +0000">
<metadata tag="bugReady" timestamp="Thu, 05 Jun 2008 10:04:23 +0000">
<metadata tag="submitter" timestamp="Sat, 14 Jun 2008 21:39:04 +0000">