Executive Summary
Summary | |
---|---|
Title | Evolution vulnerabilities |
Informations | |||
---|---|---|---|
Name | USN-615-1 | First vendor Publication | 2008-06-06 |
Vendor | Ubuntu | Last vendor Modification | 2008-06-06 |
Severity (Vendor) | N/A | Revision | N/A |
Security-Database Scoring CVSS v3
Cvss vector : N/A | |||
---|---|---|---|
Overall CVSS Score | NA | ||
Base Score | NA | Environmental Score | NA |
impact SubScore | NA | Temporal Score | NA |
Exploitabality Sub Score | NA | ||
Calculate full CVSS 3.0 Vectors scores |
Security-Database Scoring CVSS v2
Cvss vector : (AV:N/AC:M/Au:N/C:C/I:C/A:C) | |||
---|---|---|---|
Cvss Base Score | 9.3 | Attack Range | Network |
Cvss Impact Score | 10 | Attack Complexity | Medium |
Cvss Expoit Score | 8.6 | Authentication | None Required |
Calculate full CVSS 2.0 Vectors scores |
Detail
A security issue affects the following Ubuntu releases: Ubuntu 6.06 LTS Ubuntu 7.04 Ubuntu 7.10 Ubuntu 8.04 LTS This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu. The problem can be corrected by upgrading your system to the following package versions: Ubuntu 6.06 LTS: Ubuntu 7.04: Ubuntu 7.10: Ubuntu 8.04 LTS: After a standard system upgrade you need to restart Evolution to effect the necessary changes. Details follow: Alin Rad Pop of Secunia Research discovered that Evolution did not properly validate timezone data when processing iCalendar attachments. If a user disabled the ITip Formatter plugin and viewed a crafted iCalendar attachment, an attacker could cause a denial of service or possibly execute code with user privileges. Note that the ITip Formatter plugin is enabled by default in Ubuntu. (CVE-2008-1108) Alin Rad Pop of Secunia Research discovered that Evolution did not properly validate the DESCRIPTION field when processing iCalendar attachments. If a user were tricked into accepting a crafted iCalendar attachment and replied to it from the calendar window, an attacker code cause a denial of service or execute code with user privileges. (CVE-2008-1109) Matej Cepl discovered that Evolution did not properly validate date fields when processing iCalendar attachments. If a user disabled the ITip Formatter plugin and viewed a crafted iCalendar attachment, an attacker could cause a denial of service. Note that the ITip Formatter plugin is enabled by default in Ubuntu. |
Original Source
Url : http://www.ubuntu.com/usn/USN-615-1 |
CWE : Common Weakness Enumeration
% | Id | Name |
---|---|---|
100 % | CWE-119 | Failure to Constrain Operations within the Bounds of a Memory Buffer |
OVAL Definitions
Definition Id: oval:org.mitre.oval:def:10337 | |||
Oval ID: | oval:org.mitre.oval:def:10337 | ||
Title: | Heap-based buffer overflow in Evolution 2.22.1 allows user-assisted remote attackers to execute arbitrary code via a long DESCRIPTION property in an iCalendar attachment, which is not properly handled during a reply in the calendar view (aka the Calendars window). | ||
Description: | Heap-based buffer overflow in Evolution 2.22.1 allows user-assisted remote attackers to execute arbitrary code via a long DESCRIPTION property in an iCalendar attachment, which is not properly handled during a reply in the calendar view (aka the Calendars window). | ||
Family: | unix | Class: | vulnerability |
Reference(s): | CVE-2008-1109 | Version: | 5 |
Platform(s): | Red Hat Enterprise Linux 4 CentOS Linux 4 Oracle Linux 4 Red Hat Enterprise Linux 5 CentOS Linux 5 Oracle Linux 5 | Product(s): | |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:10471 | |||
Oval ID: | oval:org.mitre.oval:def:10471 | ||
Title: | Buffer overflow in Evolution 2.22.1, when the ITip Formatter plugin is disabled, allows remote attackers to execute arbitrary code via a long timezone string in an iCalendar attachment. | ||
Description: | Buffer overflow in Evolution 2.22.1, when the ITip Formatter plugin is disabled, allows remote attackers to execute arbitrary code via a long timezone string in an iCalendar attachment. | ||
Family: | unix | Class: | vulnerability |
Reference(s): | CVE-2008-1108 | Version: | 5 |
Platform(s): | Red Hat Enterprise Linux 3 CentOS Linux 3 Red Hat Enterprise Linux 4 CentOS Linux 4 Oracle Linux 4 Red Hat Enterprise Linux 5 CentOS Linux 5 Oracle Linux 5 | Product(s): | |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:17650 | |||
Oval ID: | oval:org.mitre.oval:def:17650 | ||
Title: | USN-615-1 -- evolution vulnerabilities | ||
Description: | Alin Rad Pop of Secunia Research discovered that Evolution did not properly validate timezone data when processing iCalendar attachments. | ||
Family: | unix | Class: | patch |
Reference(s): | USN-615-1 CVE-2008-1108 CVE-2008-1109 | Version: | 7 |
Platform(s): | Ubuntu 6.06 Ubuntu 7.04 Ubuntu 7.10 Ubuntu 8.04 | Product(s): | evolution |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:22709 | |||
Oval ID: | oval:org.mitre.oval:def:22709 | ||
Title: | ELSA-2008:0514: evolution security update (Important) | ||
Description: | Heap-based buffer overflow in Evolution 2.22.1 allows user-assisted remote attackers to execute arbitrary code via a long DESCRIPTION property in an iCalendar attachment, which is not properly handled during a reply in the calendar view (aka the Calendars window). | ||
Family: | unix | Class: | patch |
Reference(s): | ELSA-2008:0514-01 CVE-2008-1108 CVE-2008-1109 | Version: | 13 |
Platform(s): | Oracle Linux 5 | Product(s): | evolution |
Definition Synopsis: | |||
CPE : Common Platform Enumeration
Type | Description | Count |
---|---|---|
Application | 2 |
OpenVAS Exploits
Date | Description |
---|---|
2009-04-09 | Name : Mandriva Update for evolution MDVSA-2008:111 (evolution) File : nvt/gb_mandriva_MDVSA_2008_111.nasl |
2009-03-23 | Name : Ubuntu Update for evolution vulnerabilities USN-615-1 File : nvt/gb_ubuntu_USN_615_1.nasl |
2009-03-06 | Name : RedHat Update for evolution28 RHSA-2008:0515-01 File : nvt/gb_RHSA-2008_0515-01_evolution28.nasl |
2009-03-06 | Name : RedHat Update for evolution RHSA-2008:0516-01 File : nvt/gb_RHSA-2008_0516-01_evolution.nasl |
2009-02-27 | Name : CentOS Update for evolution28 CESA-2008:0515 centos4 i386 File : nvt/gb_CESA-2008_0515_evolution28_centos4_i386.nasl |
2009-02-27 | Name : CentOS Update for evolution28 CESA-2008:0515 centos4 x86_64 File : nvt/gb_CESA-2008_0515_evolution28_centos4_x86_64.nasl |
2009-02-27 | Name : CentOS Update for evolution CESA-2008:0516 centos3 i386 File : nvt/gb_CESA-2008_0516_evolution_centos3_i386.nasl |
2009-02-27 | Name : CentOS Update for evolution CESA-2008:0516 centos3 x86_64 File : nvt/gb_CESA-2008_0516_evolution_centos3_x86_64.nasl |
2009-02-27 | Name : CentOS Update for evolution CESA-2008:0516 centos4 i386 File : nvt/gb_CESA-2008_0516_evolution_centos4_i386.nasl |
2009-02-27 | Name : CentOS Update for evolution CESA-2008:0516 centos4 x86_64 File : nvt/gb_CESA-2008_0516_evolution_centos4_x86_64.nasl |
2009-02-17 | Name : Fedora Update for evolution FEDORA-2008-4990 File : nvt/gb_fedora_2008_4990_evolution_fc9.nasl |
2009-02-17 | Name : Fedora Update for evolution FEDORA-2008-5016 File : nvt/gb_fedora_2008_5016_evolution_fc8.nasl |
2009-02-17 | Name : Fedora Update for evolution FEDORA-2008-5018 File : nvt/gb_fedora_2008_5018_evolution_fc7.nasl |
2009-01-23 | Name : SuSE Update for evolution SUSE-SA:2008:028 File : nvt/gb_suse_2008_028.nasl |
2008-09-24 | Name : Gentoo Security Advisory GLSA 200806-06 (evolution) File : nvt/glsa_200806_06.nasl |
Open Source Vulnerability Database (OSVDB)
Id | Description |
---|---|
46006 | Evolution iCalendar Calendar View Attachment DESCRIPTION Property Handling Ov... |
46005 | Evolution iCalendar Attachment Timezone String Handling Remote Overflow |
Nessus® Vulnerability Scanner
Date | Description |
---|---|
2013-07-12 | Name : The remote Oracle Linux host is missing one or more security updates. File : oraclelinux_ELSA-2008-0515.nasl - Type : ACT_GATHER_INFO |
2013-07-12 | Name : The remote Oracle Linux host is missing one or more security updates. File : oraclelinux_ELSA-2008-0516.nasl - Type : ACT_GATHER_INFO |
2013-01-24 | Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2008-0517.nasl - Type : ACT_GATHER_INFO |
2012-08-01 | Name : The remote Scientific Linux host is missing one or more security updates. File : sl_20080604_evolution_on_SL5_x.nasl - Type : ACT_GATHER_INFO |
2012-08-01 | Name : The remote Scientific Linux host is missing one or more security updates. File : sl_20080604_evolution_on_SL3_x.nasl - Type : ACT_GATHER_INFO |
2012-08-01 | Name : The remote Scientific Linux host is missing one or more security updates. File : sl_20080604_evolution28_on_SL4_6.nasl - Type : ACT_GATHER_INFO |
2010-01-06 | Name : The remote CentOS host is missing one or more security updates. File : centos_RHSA-2008-0514.nasl - Type : ACT_GATHER_INFO |
2009-04-23 | Name : The remote Mandriva Linux host is missing one or more security updates. File : mandriva_MDVSA-2008-111.nasl - Type : ACT_GATHER_INFO |
2008-06-18 | Name : The remote Gentoo host is missing one or more security-related patches. File : gentoo_GLSA-200806-06.nasl - Type : ACT_GATHER_INFO |
2008-06-16 | Name : The remote SuSE 10 host is missing a security-related patch. File : suse_evolution-5327.nasl - Type : ACT_GATHER_INFO |
2008-06-16 | Name : The remote openSUSE host is missing a security update. File : suse_evolution-5326.nasl - Type : ACT_GATHER_INFO |
2008-06-09 | Name : The remote CentOS host is missing one or more security updates. File : centos_RHSA-2008-0515.nasl - Type : ACT_GATHER_INFO |
2008-06-09 | Name : The remote Ubuntu host is missing one or more security-related patches. File : ubuntu_USN-615-1.nasl - Type : ACT_GATHER_INFO |
2008-06-09 | Name : The remote Fedora host is missing a security update. File : fedora_2008-5018.nasl - Type : ACT_GATHER_INFO |
2008-06-09 | Name : The remote Fedora host is missing a security update. File : fedora_2008-5016.nasl - Type : ACT_GATHER_INFO |
2008-06-09 | Name : The remote Fedora host is missing a security update. File : fedora_2008-4990.nasl - Type : ACT_GATHER_INFO |
2008-06-09 | Name : The remote CentOS host is missing one or more security updates. File : centos_RHSA-2008-0516.nasl - Type : ACT_GATHER_INFO |
2008-06-05 | Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2008-0516.nasl - Type : ACT_GATHER_INFO |
2008-06-05 | Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2008-0515.nasl - Type : ACT_GATHER_INFO |
2008-06-04 | Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2008-0514.nasl - Type : ACT_GATHER_INFO |
Alert History
Date | Informations |
---|---|
2014-02-17 12:05:09 |
|