Evolution: User-assisted execution of arbitrary code
Multiple vulnerabilities in Evolution may allow for user-assisted execution
of arbitrary code.
evolution
June 16, 2008
June 16, 2008: 01
223963
remote
2.12.3-r2
2.12.3-r2
Evolution is the mail client of the GNOME desktop environment.
Alin Rad Pop (Secunia Research) reported two vulnerabilities in
Evolution:
-
A boundary error exists when parsing overly long timezone strings
contained within iCalendar attachments and when the ITip formatter is
disabled (CVE-2008-1108).
-
A boundary error exists when replying to an iCalendar request with an
overly long "DESCRIPTION" property while in calendar view
(CVE-2008-1109).
A remote attacker could entice a user to open a specially crafted
iCalendar attachment, resulting in the execution of arbitrary code with
the privileges of the user running Evolution.
There is no known workaround at this time.
All Evolution users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=mail-client/evolution-2.12.3-r2"
CVE-2008-1108
CVE-2008-1109
vorlon
vorlon
p-y