Executive Summary
Summary | |
---|---|
Title | New evolution packages fix arbitrary code execution |
Informations | |||
---|---|---|---|
Name | DSA-1512 | First vendor Publication | 2008-03-05 |
Vendor | Debian | Last vendor Modification | 2008-03-05 |
Severity (Vendor) | N/A | Revision | 1 |
Security-Database Scoring CVSS v3
Cvss vector : N/A | |||
---|---|---|---|
Overall CVSS Score | NA | ||
Base Score | NA | Environmental Score | NA |
impact SubScore | NA | Temporal Score | NA |
Exploitabality Sub Score | NA | ||
Calculate full CVSS 3.0 Vectors scores |
Security-Database Scoring CVSS v2
Cvss vector : (AV:N/AC:M/Au:N/C:P/I:P/A:P) | |||
---|---|---|---|
Cvss Base Score | 6.8 | Attack Range | Network |
Cvss Impact Score | 6.4 | Attack Complexity | Medium |
Cvss Expoit Score | 8.6 | Authentication | None Required |
Calculate full CVSS 2.0 Vectors scores |
Detail
Ulf Härnhammar discovered that Evolution, the e-mail and groupware suite, had a format string vulnerability in the parsing of encrypted mail messages. If the user opened a specially crafted email message, code execution was possible. For the stable distribution (etch), this problem has been fixed in version 2.6.3-6etch2. For the old stable distribution (sarge), this problem has been fixed in version 2.0.4-2sarge3. Some architectures have not yet completed building the updated package for sarge at this time, they will be added as they come available. For the unstable distribution (sid), this problem has been fixed in version 2.12.3-1.1. We recommend that you upgrade your evolution package. |
Original Source
Url : http://www.debian.org/security/2008/dsa-1512 |
CWE : Common Weakness Enumeration
% | Id | Name |
---|---|---|
100 % | CWE-134 | Uncontrolled Format String (CWE/SANS Top 25) |
OVAL Definitions
Definition Id: oval:org.mitre.oval:def:10701 | |||
Oval ID: | oval:org.mitre.oval:def:10701 | ||
Title: | Format string vulnerability in the emf_multipart_encrypted function in mail/em-format.c in Evolution 2.12.3 and earlier allows remote attackers to execute arbitrary code via a crafted encrypted message, as demonstrated using the Version field. | ||
Description: | Format string vulnerability in the emf_multipart_encrypted function in mail/em-format.c in Evolution 2.12.3 and earlier allows remote attackers to execute arbitrary code via a crafted encrypted message, as demonstrated using the Version field. | ||
Family: | unix | Class: | vulnerability |
Reference(s): | CVE-2008-0072 | Version: | 5 |
Platform(s): | Red Hat Enterprise Linux 4 CentOS Linux 4 Oracle Linux 4 Red Hat Enterprise Linux 5 CentOS Linux 5 Oracle Linux 5 | Product(s): | |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:17638 | |||
Oval ID: | oval:org.mitre.oval:def:17638 | ||
Title: | USN-583-1 -- evolution vulnerability | ||
Description: | Ulf Harnhammar discovered that Evolution did not correctly handle format strings when processing encrypted emails. | ||
Family: | unix | Class: | patch |
Reference(s): | USN-583-1 CVE-2008-0072 | Version: | 7 |
Platform(s): | Ubuntu 6.06 Ubuntu 6.10 Ubuntu 7.04 Ubuntu 7.10 | Product(s): | evolution |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:20381 | |||
Oval ID: | oval:org.mitre.oval:def:20381 | ||
Title: | DSA-1512-1 evolution - remote code execution | ||
Description: | Ulf Härnhammar discovered that Evolution, the e-mail and groupware suite, had a format string vulnerability in the parsing of encrypted mail messages. If the user opened a specially crafted email message, code execution was possible. | ||
Family: | unix | Class: | patch |
Reference(s): | DSA-1512-1 CVE-2008-0072 | Version: | 5 |
Platform(s): | Debian GNU/Linux 4.0 | Product(s): | evolution |
Definition Synopsis: | |||
Definition Id: oval:org.mitre.oval:def:22716 | |||
Oval ID: | oval:org.mitre.oval:def:22716 | ||
Title: | ELSA-2008:0177: evolution security update (Critical) | ||
Description: | Format string vulnerability in the emf_multipart_encrypted function in mail/em-format.c in Evolution 2.12.3 and earlier allows remote attackers to execute arbitrary code via a crafted encrypted message, as demonstrated using the Version field. | ||
Family: | unix | Class: | patch |
Reference(s): | ELSA-2008:0177-01 CVE-2008-0072 | Version: | 6 |
Platform(s): | Oracle Linux 5 | Product(s): | evolution evolution28 |
Definition Synopsis: | |||
Definition Id: oval:org.mitre.oval:def:7919 | |||
Oval ID: | oval:org.mitre.oval:def:7919 | ||
Title: | DSA-1512 evolution -- format string attack | ||
Description: | Ulf Haumlrnhammar discovered that Evolution, the e-mail and groupware suite, had a format string vulnerability in the parsing of encrypted mail messages. If the user opened a specially crafted email message, code execution was possible. | ||
Family: | unix | Class: | patch |
Reference(s): | DSA-1512 CVE-2008-0072 | Version: | 3 |
Platform(s): | Debian GNU/Linux 4.0 Debian GNU/Linux 3.1 | Product(s): | evolution |
Definition Synopsis: | |||
|
CPE : Common Platform Enumeration
OpenVAS Exploits
Date | Description |
---|---|
2009-04-09 | Name : Mandriva Update for evolution MDVSA-2008:063 (evolution) File : nvt/gb_mandriva_MDVSA_2008_063.nasl |
2009-03-23 | Name : Ubuntu Update for evolution vulnerability USN-583-1 File : nvt/gb_ubuntu_USN_583_1.nasl |
2009-03-06 | Name : RedHat Update for evolution RHSA-2008:0177-01 File : nvt/gb_RHSA-2008_0177-01_evolution.nasl |
2009-02-27 | Name : CentOS Update for evolution CESA-2008:0177 centos4 i386 File : nvt/gb_CESA-2008_0177_evolution_centos4_i386.nasl |
2009-02-27 | Name : CentOS Update for evolution CESA-2008:0177 centos4 x86_64 File : nvt/gb_CESA-2008_0177_evolution_centos4_x86_64.nasl |
2009-02-17 | Name : Fedora Update for evolution FEDORA-2008-5016 File : nvt/gb_fedora_2008_5016_evolution_fc8.nasl |
2009-02-17 | Name : Fedora Update for evolution FEDORA-2008-5018 File : nvt/gb_fedora_2008_5018_evolution_fc7.nasl |
2009-02-16 | Name : Fedora Update for evolution FEDORA-2008-2290 File : nvt/gb_fedora_2008_2290_evolution_fc7.nasl |
2009-02-16 | Name : Fedora Update for evolution FEDORA-2008-2292 File : nvt/gb_fedora_2008_2292_evolution_fc8.nasl |
2009-01-23 | Name : SuSE Update for evolution SUSE-SA:2008:014 File : nvt/gb_suse_2008_014.nasl |
2008-09-24 | Name : Gentoo Security Advisory GLSA 200803-12 (evolution) File : nvt/glsa_200803_12.nasl |
2008-03-11 | Name : Debian Security Advisory DSA 1512-1 (evolution) File : nvt/deb_1512_1.nasl |
Open Source Vulnerability Database (OSVDB)
Id | Description |
---|---|
42804 | Evolution mail/em-format.c emf_multipart_encrypted Function Crafted Encrypted... |
Nessus® Vulnerability Scanner
Date | Description |
---|---|
2013-07-12 | Name : The remote Oracle Linux host is missing one or more security updates. File : oraclelinux_ELSA-2008-0177.nasl - Type : ACT_GATHER_INFO |
2013-01-24 | Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2008-0178.nasl - Type : ACT_GATHER_INFO |
2012-08-01 | Name : The remote Scientific Linux host is missing one or more security updates. File : sl_20080305_evolution_on_SL4_x.nasl - Type : ACT_GATHER_INFO |
2009-04-23 | Name : The remote Mandriva Linux host is missing one or more security updates. File : mandriva_MDVSA-2008-063.nasl - Type : ACT_GATHER_INFO |
2008-03-13 | Name : The remote CentOS host is missing one or more security updates. File : centos_RHSA-2008-0177.nasl - Type : ACT_GATHER_INFO |
2008-03-13 | Name : The remote SuSE 10 host is missing a security-related patch. File : suse_evolution-5086.nasl - Type : ACT_GATHER_INFO |
2008-03-13 | Name : The remote openSUSE host is missing a security update. File : suse_evolution-5087.nasl - Type : ACT_GATHER_INFO |
2008-03-07 | Name : The remote Debian host is missing a security-related update. File : debian_DSA-1512.nasl - Type : ACT_GATHER_INFO |
2008-03-07 | Name : The remote Fedora host is missing a security update. File : fedora_2008-2290.nasl - Type : ACT_GATHER_INFO |
2008-03-07 | Name : The remote Fedora host is missing a security update. File : fedora_2008-2292.nasl - Type : ACT_GATHER_INFO |
2008-03-07 | Name : The remote Gentoo host is missing one or more security-related patches. File : gentoo_GLSA-200803-12.nasl - Type : ACT_GATHER_INFO |
2008-03-07 | Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2008-0177.nasl - Type : ACT_GATHER_INFO |
2008-03-07 | Name : The remote Ubuntu host is missing one or more security-related patches. File : ubuntu_USN-583-1.nasl - Type : ACT_GATHER_INFO |
Alert History
Date | Informations |
---|---|
2014-02-17 11:27:24 |
|