9.3 - CVE-2008-1109

Executive Summary

Informations
Name	CVE-2008-1109	First vendor Publication	2008-06-04
Vendor	Cve	Last vendor Modification	2017-09-29

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score	NA
Base Score	NA	Environmental Score	NA
impact SubScore	NA	Temporal Score	NA
Exploitabality Sub Score	NA

Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:M/Au:N/C:C/I:C/A:C)
Cvss Base Score	9.3	Attack Range	Network
Cvss Impact Score	10	Attack Complexity	Medium
Cvss Expoit Score	8.6	Authentication	None Required
Calculate full CVSS 2.0 Vectors scores

Detail

Heap-based buffer overflow in Evolution 2.22.1 allows user-assisted remote attackers to execute arbitrary code via a long DESCRIPTION property in an iCalendar attachment, which is not properly handled during a reply in the calendar view (aka the Calendars window).

Original Source

Url : http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1109

CWE : Common Weakness Enumeration

%	Id	Name
100 %	CWE-119	Failure to Constrain Operations within the Bounds of a Memory Buffer

OVAL Definitions

Definition Id: oval:org.mitre.oval:def:10337

Oval ID:	oval:org.mitre.oval:def:10337
Title:	Heap-based buffer overflow in Evolution 2.22.1 allows user-assisted remote attackers to execute arbitrary code via a long DESCRIPTION property in an iCalendar attachment, which is not properly handled during a reply in the calendar view (aka the Calendars window).
Description:	Heap-based buffer overflow in Evolution 2.22.1 allows user-assisted remote attackers to execute arbitrary code via a long DESCRIPTION property in an iCalendar attachment, which is not properly handled during a reply in the calendar view (aka the Calendars window).
Family:	unix	Class:	vulnerability
Reference(s):	CVE-2008-1109	Version:	5
Platform(s):	Red Hat Enterprise Linux 4 CentOS Linux 4 Oracle Linux 4 Red Hat Enterprise Linux 5 CentOS Linux 5 Oracle Linux 5	Product(s):
Definition Synopsis:
OS Section: RHEL4, CentOS4, Oracle Linux 4 RHEL4, CentOS4 or Oracle Linux 4 The operating system installed on the system is Red Hat Enterprise Linux 4 AND CentOS Linux 4.x AND Oracle Linux 4.x AND Configuration section evolution28 is earlier than 0:2.8.0-53.el4_6.3 AND evolution28-devel is earlier than 0:2.8.0-53.el4_6.3 OR OS Section: RHEL5, CentOS5, Oracle Linux 5 RHEL5, CentOS5 or Oracle Linux 5 The operating system installed on the system is Red Hat Enterprise Linux 5 AND CentOS Linux 5.x AND Oracle Linux 5.x AND Configuration section evolution-help is earlier than 0:2.12.3-8.el5_2.2 AND evolution is earlier than 0:2.12.3-8.el5_2.2 AND evolution-devel is earlier than 0:2.12.3-8.el5_2.2

Definition Id: oval:org.mitre.oval:def:17650

Oval ID:	oval:org.mitre.oval:def:17650
Title:	USN-615-1 -- evolution vulnerabilities
Description:	Alin Rad Pop of Secunia Research discovered that Evolution did not properly validate timezone data when processing iCalendar attachments.
Family:	unix	Class:	patch
Reference(s):	USN-615-1 CVE-2008-1108 CVE-2008-1109	Version:	7
Platform(s):	Ubuntu 6.06 Ubuntu 7.04 Ubuntu 7.10 Ubuntu 8.04	Product(s):	evolution
Definition Synopsis:
Release section Ubuntu 6.06 is installed AND evolution DPKG is earlier than 2.6.1-0ubuntu7.4 AND Release section Ubuntu 7.04 is installed AND evolution DPKG is earlier than 2.10.1-0ubuntu2.4 AND Release section Ubuntu 7.10 is installed AND evolution DPKG is earlier than 2.12.1-0ubuntu1.3 AND Release section Ubuntu 8.04 is installed AND evolution DPKG is earlier than 2.22.2-0ubuntu1.2

Definition Id: oval:org.mitre.oval:def:22709

Oval ID:	oval:org.mitre.oval:def:22709
Title:	ELSA-2008:0514: evolution security update (Important)
Description:	Heap-based buffer overflow in Evolution 2.22.1 allows user-assisted remote attackers to execute arbitrary code via a long DESCRIPTION property in an iCalendar attachment, which is not properly handled during a reply in the calendar view (aka the Calendars window).
Family:	unix	Class:	patch
Reference(s):	ELSA-2008:0514-01 CVE-2008-1108 CVE-2008-1109	Version:	13
Platform(s):	Oracle Linux 5	Product(s):	evolution
Definition Synopsis:
Oracle Linux 5.x rpm test evolution-help is earlier than 0:2.12.3-8.el5_2.2 AND evolution is earlier than 0:2.12.3-8.el5_2.2 AND evolution-devel is earlier than 0:2.12.3-8.el5_2.2

CPE : Common Platform Enumeration

Type	Description	Count
Application	Gnome Evolution cpe:2.3:a:gnome:evolution:2.22.1:::::::*	1

OpenVAS Exploits

Date	Description
2009-04-09	Name : Mandriva Update for evolution MDVSA-2008:111 (evolution) File : nvt/gb_mandriva_MDVSA_2008_111.nasl
2009-03-23	Name : Ubuntu Update for evolution vulnerabilities USN-615-1 File : nvt/gb_ubuntu_USN_615_1.nasl
2009-03-06	Name : RedHat Update for evolution28 RHSA-2008:0515-01 File : nvt/gb_RHSA-2008_0515-01_evolution28.nasl
2009-02-27	Name : CentOS Update for evolution28 CESA-2008:0515 centos4 i386 File : nvt/gb_CESA-2008_0515_evolution28_centos4_i386.nasl
2009-02-27	Name : CentOS Update for evolution28 CESA-2008:0515 centos4 x86_64 File : nvt/gb_CESA-2008_0515_evolution28_centos4_x86_64.nasl
2009-02-17	Name : Fedora Update for evolution FEDORA-2008-4990 File : nvt/gb_fedora_2008_4990_evolution_fc9.nasl
2009-02-17	Name : Fedora Update for evolution FEDORA-2008-5016 File : nvt/gb_fedora_2008_5016_evolution_fc8.nasl
2009-02-17	Name : Fedora Update for evolution FEDORA-2008-5018 File : nvt/gb_fedora_2008_5018_evolution_fc7.nasl
2009-01-23	Name : SuSE Update for evolution SUSE-SA:2008:028 File : nvt/gb_suse_2008_028.nasl
2008-09-24	Name : Gentoo Security Advisory GLSA 200806-06 (evolution) File : nvt/glsa_200806_06.nasl

Open Source Vulnerability Database (OSVDB)

Id	Description
46006	Evolution iCalendar Calendar View Attachment DESCRIPTION Property Handling Ov...

Nessus® Vulnerability Scanner

Date	Description
2013-07-12	Name : The remote Oracle Linux host is missing one or more security updates. File : oraclelinux_ELSA-2008-0515.nasl - Type : ACT_GATHER_INFO
2012-08-01	Name : The remote Scientific Linux host is missing one or more security updates. File : sl_20080604_evolution28_on_SL4_6.nasl - Type : ACT_GATHER_INFO
2012-08-01	Name : The remote Scientific Linux host is missing one or more security updates. File : sl_20080604_evolution_on_SL5_x.nasl - Type : ACT_GATHER_INFO
2010-01-06	Name : The remote CentOS host is missing one or more security updates. File : centos_RHSA-2008-0514.nasl - Type : ACT_GATHER_INFO
2009-04-23	Name : The remote Mandriva Linux host is missing one or more security updates. File : mandriva_MDVSA-2008-111.nasl - Type : ACT_GATHER_INFO
2008-06-18	Name : The remote Gentoo host is missing one or more security-related patches. File : gentoo_GLSA-200806-06.nasl - Type : ACT_GATHER_INFO
2008-06-16	Name : The remote openSUSE host is missing a security update. File : suse_evolution-5326.nasl - Type : ACT_GATHER_INFO
2008-06-16	Name : The remote SuSE 10 host is missing a security-related patch. File : suse_evolution-5327.nasl - Type : ACT_GATHER_INFO
2008-06-09	Name : The remote CentOS host is missing one or more security updates. File : centos_RHSA-2008-0515.nasl - Type : ACT_GATHER_INFO
2008-06-09	Name : The remote Fedora host is missing a security update. File : fedora_2008-4990.nasl - Type : ACT_GATHER_INFO
2008-06-09	Name : The remote Fedora host is missing a security update. File : fedora_2008-5016.nasl - Type : ACT_GATHER_INFO
2008-06-09	Name : The remote Fedora host is missing a security update. File : fedora_2008-5018.nasl - Type : ACT_GATHER_INFO
2008-06-09	Name : The remote Ubuntu host is missing one or more security-related patches. File : ubuntu_USN-615-1.nasl - Type : ACT_GATHER_INFO
2008-06-05	Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2008-0515.nasl - Type : ACT_GATHER_INFO
2008-06-04	Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2008-0514.nasl - Type : ACT_GATHER_INFO

Sources (Detail)

Source	Url
BID	http://www.securityfocus.com/bid/29527
FEDORA	https://www.redhat.com/archives/fedora-package-announce/2008-June/msg00157.html https://www.redhat.com/archives/fedora-package-announce/2008-June/msg00178.html https://www.redhat.com/archives/fedora-package-announce/2008-June/msg00179.html
GENTOO	http://security.gentoo.org/glsa/glsa-200806-06.xml
MANDRIVA	http://www.mandriva.com/security/advisories?name=MDVSA-2008:111
MISC	http://secunia.com/secunia_research/2008-23/advisory/
OVAL	https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.ova...
REDHAT	http://www.redhat.com/support/errata/RHSA-2008-0514.html http://www.redhat.com/support/errata/RHSA-2008-0515.html
SECTRACK	http://www.securitytracker.com/id?1020170
SECUNIA	http://secunia.com/advisories/30298 http://secunia.com/advisories/30527 http://secunia.com/advisories/30564 http://secunia.com/advisories/30571 http://secunia.com/advisories/30702 http://secunia.com/advisories/30716
SUSE	http://lists.opensuse.org/opensuse-security-announce/2008-06/msg00003.html
UBUNTU	http://www.ubuntu.com/usn/usn-615-1
VUPEN	http://www.vupen.com/english/advisories/2008/1732/references
XF	https://exchange.xforce.ibmcloud.com/vulnerabilities/42826

Alert History

If you want to see full details history, please login or register.

Date	Informations
2021-05-04 12:07:12	Multiple Updates
2021-04-22 01:07:37	Multiple Updates
2020-05-23 00:21:21	Multiple Updates
2017-09-29 09:23:26	Multiple Updates
2017-08-08 09:23:54	Multiple Updates
2016-04-26 17:11:03	Multiple Updates
2014-02-17 10:44:04	Multiple Updates
2013-05-11 00:11:10	Multiple Updates

Global Informations

Type	Count
CWE ID(s)	1
Oval ID(s)	3
CPE ID(s)	1
Sources(s)	21
osvdb(s)	1
Openvas Exploit(s)	10
Nessus® Exploit(s)	15

	Related
9.3	USN-615-1
9.3	RHSA-2008:0515
9.3	RHSA-2008:0514
9.3	MDVSA-2008:111
9.3	GLSA-200806-06
Info : listing not affected by your CVSS Env Score

Same Subject	Severity
Login to view 5 more Alert(s)

9.3 - CVE-2008-1109

Executive Summary

Security-Database Scoring CVSS v3

Security-Database Scoring CVSS v2

Detail

Original Source

CWE : Common Weakness Enumeration

OVAL Definitions

CPE : Common Platform Enumeration

OpenVAS Exploits

Open Source Vulnerability Database (OSVDB)

Nessus® Vulnerability Scanner

Sources (Detail)

Alert History

Global Informations

Open Standards

Other Databases

COMPANY

STANDARDS

RECENT POSTS

MENU