USN-615-1: Evolution vulnerabilities
6 June 2008
Evolution vulnerabilities
Releases
Packages
Details
Alin Rad Pop of Secunia Research discovered that Evolution did not
properly validate timezone data when processing iCalendar attachments.
If a user disabled the ITip Formatter plugin and viewed a crafted
iCalendar attachment, an attacker could cause a denial of service or
possibly execute code with user privileges. Note that the ITip
Formatter plugin is enabled by default in Ubuntu. (CVE-2008-1108)
Alin Rad Pop of Secunia Research discovered that Evolution did not
properly validate the DESCRIPTION field when processing iCalendar
attachments. If a user were tricked into accepting a crafted
iCalendar attachment and replied to it from the calendar window, an
attacker code cause a denial of service or execute code with user
privileges. (CVE-2008-1109)
Matej Cepl discovered that Evolution did not properly validate date
fields when processing iCalendar attachments. If a user disabled the
ITip Formatter plugin and viewed a crafted iCalendar attachment, an
attacker could cause a denial of service. Note that the ITip
Formatter plugin is enabled by default in Ubuntu.
Update instructions
The problem can be corrected by updating your system to the following package versions:
Ubuntu 8.04
Ubuntu 7.10
Ubuntu 7.04
Ubuntu 6.06
After a standard system upgrade you need to restart Evolution to effect
the necessary changes.