__________________________________________________________ The U.S. Department of Energy Computer Incident Advisory Capability ___ __ __ _ ___ / | /_\ / \___ __|__ / \ \___ __________________________________________________________ INFORMATION BULLETIN Evolution Security Update [Red Hat RHSA-2008:0177-3] March 6, 2008 21:00 GMT Number S-222 ______________________________________________________________________________ PROBLEM: A format string flaw was found in the way Evolution displayed encrypted mail content. PLATFORM: RHEL Desktop Workstation (v. 5 client) RHEL Optional Productivity Applications (v. 5 server) Red Hat Desktop (v. 4) Red Hat Enterprise Linux AS, ES, WS (v. 4) Red Hat Enterprise Linux Desktop (v. 5 client) DAMAGE: Arbitrary code executed. SOLUTION: Upgrade to the appropriate version. ______________________________________________________________________________ VULNERABILITY The risk is MEDIUM. If a user opened a carefully crafted mail ASSESSMENT: message, arbitrary code could be executed as the user running Evolution. ______________________________________________________________________________ LINKS: CIAC BULLETIN: http://www.ciac.org/ciac/bulletins/s-222.shtml ORIGINAL BULLETIN: https://rhn.redhat.com/errata/RHSA-2008-0177.html ADDITIONAL LINKS: http://www.debian.org/security/2008/dsa-1512 http://www.securityfocus.com/bid/28102/discuss CVE: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name= CVE-2008-0072 ______________________________________________________________________________ [***** Start Red Hat RHSA-2008:0177-3 *****] Critical: evolution security update Advisory: RHSA-2008:0177-3 Type: Security Advisory Severity: Critical Issued on: 2008-03-05 Last updated on: 2008-03-05 Affected Products: RHEL Desktop Workstation (v. 5 client) RHEL Optional Productivity Applications (v. 5 server) Red Hat Desktop (v. 4) Red Hat Enterprise Linux AS (v. 4) Red Hat Enterprise Linux Desktop (v. 5 client) Red Hat Enterprise Linux ES (v. 4) Red Hat Enterprise Linux WS (v. 4) OVAL: com.redhat.rhsa-20080177.xml CVEs (cve.mitre.org): CVE-2008-0072 Details Updated evolution packages that fix a format string bug are now available for Red Hat Enterprise Linux 4 and 5. This update has been rated as having critical security impact by the Red Hat Security Response Team. Evolution is the GNOME collection of personal information management (PIM) tools. A format string flaw was found in the way Evolution displayed encrypted mail content. If a user opened a carefully crafted mail message, arbitrary code could be executed as the user running Evolution. (CVE-2008-0072) All users of Evolution should upgrade to these updated packages, which contain a backported patch which resolves this issue. Red Hat would like to thank Ulf Härnhammar of Secunia Research for finding and reporting this issue. Solution Before applying this update, make sure that all previously-released errata relevant to your system have been applied. This update is available via Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at http://kbase.redhat.com/faq/FAQ_58_10188 Updated packages RHEL Desktop Workstation (v. 5 client) -------------------------------------------------------------------------------- IA-32: evolution-devel-2.8.0-40.el5_1.1.i386.rpm c36f334a351ec3b819a6fafe3f2b5114 x86_64: evolution-devel-2.8.0-40.el5_1.1.i386.rpm c36f334a351ec3b819a6fafe3f2b5114 evolution-devel-2.8.0-40.el5_1.1.x86_64.rpm 2ad76ac2c16830ad5ca256426c9d4db0 RHEL Optional Productivity Applications (v. 5 server) -------------------------------------------------------------------------------- SRPMS: evolution-2.8.0-40.el5_1.1.src.rpm bc326bab2009ec8dcda36c5b5c29f0e6 IA-32: evolution-2.8.0-40.el5_1.1.i386.rpm cb5e69d31b9f7e1c29a82cab2b4c744e evolution-devel-2.8.0-40.el5_1.1.i386.rpm c36f334a351ec3b819a6fafe3f2b5114 x86_64: evolution-2.8.0-40.el5_1.1.i386.rpm cb5e69d31b9f7e1c29a82cab2b4c744e evolution-2.8.0-40.el5_1.1.x86_64.rpm e3a9da8b1243b72bb4f39b722373c992 evolution-devel-2.8.0-40.el5_1.1.i386.rpm c36f334a351ec3b819a6fafe3f2b5114 evolution-devel-2.8.0-40.el5_1.1.x86_64.rpm 2ad76ac2c16830ad5ca256426c9d4db0 Red Hat Desktop (v. 4) -------------------------------------------------------------------------------- SRPMS: evolution-2.0.2-35.0.4.el4_6.1.src.rpm 8da571d7b19109bb269105110a6ba0ca evolution28-2.8.0-53.el4_6.2.src.rpm 5f34fafdbd5b6ca17f97754e13ec5154 IA-32: evolution-2.0.2-35.0.4.el4_6.1.i386.rpm c7ed0106d1a42ae54238c97c12c5402a evolution-devel-2.0.2-35.0.4.el4_6.1.i386.rpm 0be255baffa73c0ae8d4a289b469caf4 evolution28-2.8.0-53.el4_6.2.i386.rpm 2e44e645092ec420b69598c5c2755910 evolution28-devel-2.8.0-53.el4_6.2.i386.rpm 94b58fe2b2c565bc7466d2723f69b432 x86_64: evolution-2.0.2-35.0.4.el4_6.1.x86_64.rpm eab94ff5dcce3983a60a1d7c95934aec evolution-devel-2.0.2-35.0.4.el4_6.1.x86_64.rpm f4d3422304ad05066da7be5b7cd583d8 evolution28-2.8.0-53.el4_6.2.x86_64.rpm 4d3206775ac51b6060da7f7f3b2f54fe evolution28-devel-2.8.0-53.el4_6.2.x86_64.rpm 819807555f0bd5334f50e2d22cbe459e Red Hat Enterprise Linux AS (v. 4) -------------------------------------------------------------------------------- SRPMS: evolution-2.0.2-35.0.4.el4_6.1.src.rpm 8da571d7b19109bb269105110a6ba0ca evolution28-2.8.0-53.el4_6.2.src.rpm 5f34fafdbd5b6ca17f97754e13ec5154 IA-32: evolution-2.0.2-35.0.4.el4_6.1.i386.rpm c7ed0106d1a42ae54238c97c12c5402a evolution-devel-2.0.2-35.0.4.el4_6.1.i386.rpm 0be255baffa73c0ae8d4a289b469caf4 evolution28-2.8.0-53.el4_6.2.i386.rpm 2e44e645092ec420b69598c5c2755910 evolution28-devel-2.8.0-53.el4_6.2.i386.rpm 94b58fe2b2c565bc7466d2723f69b432 IA-64: evolution-2.0.2-35.0.4.el4_6.1.ia64.rpm f563be7281e48a244a4a83a4170bccdb evolution-devel-2.0.2-35.0.4.el4_6.1.ia64.rpm bf7764874707fa16c31badce4fc5e11b evolution28-2.8.0-53.el4_6.2.ia64.rpm 0f5f7d91539a596c358aa91f1523e217 evolution28-devel-2.8.0-53.el4_6.2.ia64.rpm 0b6cdf5c12b2f0232d58ac4149775551 PPC: evolution-2.0.2-35.0.4.el4_6.1.ppc.rpm c50ce393148498d641dcdc3a5affe713 evolution-devel-2.0.2-35.0.4.el4_6.1.ppc.rpm 7c442c85586a71e865f1754688248e86 evolution28-2.8.0-53.el4_6.2.ppc.rpm 9182f3da8b68143181aecc88314d123c evolution28-devel-2.8.0-53.el4_6.2.ppc.rpm c13a168ca5153e3b89f2a4ed69f66bdb s390: evolution-2.0.2-35.0.4.el4_6.1.s390.rpm 293f115f2cacc0966e85c04cacee12a1 evolution-devel-2.0.2-35.0.4.el4_6.1.s390.rpm f52e03ecfb7651c87fc4bd79948c0fc6 evolution28-2.8.0-53.el4_6.2.s390.rpm 2d9b317f57d42df0e8190d894192db44 evolution28-devel-2.8.0-53.el4_6.2.s390.rpm c39d8409fb604ee4985481d3818cc53a s390x: evolution-2.0.2-35.0.4.el4_6.1.s390x.rpm f02f676b6d969a489e6a9c669119a468 evolution-devel-2.0.2-35.0.4.el4_6.1.s390x.rpm eab0a02ff63995b36a54086e12df2f30 evolution28-2.8.0-53.el4_6.2.s390x.rpm 2a1391655c37bac7e3394f4711387334 evolution28-devel-2.8.0-53.el4_6.2.s390x.rpm 0441084e367ebf24d9449be5b1579144 x86_64: evolution-2.0.2-35.0.4.el4_6.1.x86_64.rpm eab94ff5dcce3983a60a1d7c95934aec evolution-devel-2.0.2-35.0.4.el4_6.1.x86_64.rpm f4d3422304ad05066da7be5b7cd583d8 evolution28-2.8.0-53.el4_6.2.x86_64.rpm 4d3206775ac51b6060da7f7f3b2f54fe evolution28-devel-2.8.0-53.el4_6.2.x86_64.rpm 819807555f0bd5334f50e2d22cbe459e Red Hat Enterprise Linux Desktop (v. 5 client) -------------------------------------------------------------------------------- SRPMS: evolution-2.8.0-40.el5_1.1.src.rpm bc326bab2009ec8dcda36c5b5c29f0e6 IA-32: evolution-2.8.0-40.el5_1.1.i386.rpm cb5e69d31b9f7e1c29a82cab2b4c744e x86_64: evolution-2.8.0-40.el5_1.1.i386.rpm cb5e69d31b9f7e1c29a82cab2b4c744e evolution-2.8.0-40.el5_1.1.x86_64.rpm e3a9da8b1243b72bb4f39b722373c992 Red Hat Enterprise Linux ES (v. 4) -------------------------------------------------------------------------------- SRPMS: evolution-2.0.2-35.0.4.el4_6.1.src.rpm 8da571d7b19109bb269105110a6ba0ca evolution28-2.8.0-53.el4_6.2.src.rpm 5f34fafdbd5b6ca17f97754e13ec5154 IA-32: evolution-2.0.2-35.0.4.el4_6.1.i386.rpm c7ed0106d1a42ae54238c97c12c5402a evolution-devel-2.0.2-35.0.4.el4_6.1.i386.rpm 0be255baffa73c0ae8d4a289b469caf4 evolution28-2.8.0-53.el4_6.2.i386.rpm 2e44e645092ec420b69598c5c2755910 evolution28-devel-2.8.0-53.el4_6.2.i386.rpm 94b58fe2b2c565bc7466d2723f69b432 IA-64: evolution-2.0.2-35.0.4.el4_6.1.ia64.rpm f563be7281e48a244a4a83a4170bccdb evolution-devel-2.0.2-35.0.4.el4_6.1.ia64.rpm bf7764874707fa16c31badce4fc5e11b evolution28-2.8.0-53.el4_6.2.ia64.rpm 0f5f7d91539a596c358aa91f1523e217 evolution28-devel-2.8.0-53.el4_6.2.ia64.rpm 0b6cdf5c12b2f0232d58ac4149775551 x86_64: evolution-2.0.2-35.0.4.el4_6.1.x86_64.rpm eab94ff5dcce3983a60a1d7c95934aec evolution-devel-2.0.2-35.0.4.el4_6.1.x86_64.rpm f4d3422304ad05066da7be5b7cd583d8 evolution28-2.8.0-53.el4_6.2.x86_64.rpm 4d3206775ac51b6060da7f7f3b2f54fe evolution28-devel-2.8.0-53.el4_6.2.x86_64.rpm 819807555f0bd5334f50e2d22cbe459e Red Hat Enterprise Linux WS (v. 4) -------------------------------------------------------------------------------- SRPMS: evolution-2.0.2-35.0.4.el4_6.1.src.rpm 8da571d7b19109bb269105110a6ba0ca evolution28-2.8.0-53.el4_6.2.src.rpm 5f34fafdbd5b6ca17f97754e13ec5154 IA-32: evolution-2.0.2-35.0.4.el4_6.1.i386.rpm c7ed0106d1a42ae54238c97c12c5402a evolution-devel-2.0.2-35.0.4.el4_6.1.i386.rpm 0be255baffa73c0ae8d4a289b469caf4 evolution28-2.8.0-53.el4_6.2.i386.rpm 2e44e645092ec420b69598c5c2755910 evolution28-devel-2.8.0-53.el4_6.2.i386.rpm 94b58fe2b2c565bc7466d2723f69b432 IA-64: evolution-2.0.2-35.0.4.el4_6.1.ia64.rpm f563be7281e48a244a4a83a4170bccdb evolution-devel-2.0.2-35.0.4.el4_6.1.ia64.rpm bf7764874707fa16c31badce4fc5e11b evolution28-2.8.0-53.el4_6.2.ia64.rpm 0f5f7d91539a596c358aa91f1523e217 evolution28-devel-2.8.0-53.el4_6.2.ia64.rpm 0b6cdf5c12b2f0232d58ac4149775551 x86_64: evolution-2.0.2-35.0.4.el4_6.1.x86_64.rpm eab94ff5dcce3983a60a1d7c95934aec evolution-devel-2.0.2-35.0.4.el4_6.1.x86_64.rpm f4d3422304ad05066da7be5b7cd583d8 evolution28-2.8.0-53.el4_6.2.x86_64.rpm 4d3206775ac51b6060da7f7f3b2f54fe evolution28-devel-2.8.0-53.el4_6.2.x86_64.rpm 819807555f0bd5334f50e2d22cbe459e (The unlinked packages above are only available from the Red Hat Network) Bugs fixed (see bugzilla for more information) 435759 - CVE-2008-0072 Evolution format string flaw References http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0072 http://www.redhat.com/security/updates/classification/#critical -------------------------------------------------------------------------------- These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from: https://www.redhat.com/security/team/key/#package The Red Hat security contact is secalert@redhat.com. More contact details at http://www.redhat.com/security/team/contact/ [***** End Red Hat RHSA-2008:0177-3 *****] _______________________________________________________________________________ CIAC wishes to acknowledge the contributions of Red Hat for the information contained in this bulletin. _______________________________________________________________________________ CIAC, the Computer Incident Advisory Capability, is the computer security incident response team for the U.S. Department of Energy (DOE) and the emergency backup response team for the National Institutes of Health (NIH). CIAC is located at the Lawrence Livermore National Laboratory in Livermore, California. CIAC is also a founding member of FIRST, the Forum of Incident Response and Security Teams, a global organization established to foster cooperation and coordination among computer security teams worldwide. CIAC services are available to DOE, DOE contractors, and the NIH. CIAC can be contacted at: Voice: +1 925-422-8193 (7x24) FAX: +1 925-423-8002 STU-III: +1 925-423-2604 E-mail: ciac@ciac.org Previous CIAC notices, anti-virus software, and other information are available from the CIAC Computer Security Archive. World Wide Web: http://www.ciac.org/ Anonymous FTP: ftp.ciac.org PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing communities receive CIAC bulletins. If you are not part of these communities, please contact your agency's response team to report incidents. Your agency's team will coordinate with CIAC. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained via WWW at http://www.first.org/. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes. LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC) S-212: Mozilla Vulnerability in BMP Decoder S-213: Nukedit 'email' Parameter Vulnerability S-214: SurgeMail and WebMail 'Page' Command Vulnerability S-215: Symantec Backup Exec Scheduler ActiveX Control Multiple Vulnerabilities S-216: Juniper Networks Secure Access 2000 'rdremediate.cgi' Vulnerability S-217: Drupal Multiple HTML Vulnerabilities S-218: gd Security Update S-219: Juniper Networks Secure Access 2000 Web Root Path Vulnerability S-220: PHP-Nuke My_eGallery Module 'gid' Parameter Vulnerability S-221: Learn2 STRunner ActiveX Control Vulnerabilities