int(3843)

Boletines de Vulnerabilidades


Ejecución de código en Evolution

Clasificación de la vulnerabilidad

Propiedad Valor
Nivel de Confianza Oficial
Impacto Obtener acceso
Dificultad Experto
Requerimientos del atacante Acceso remoto sin cuenta a un servicio estandar

Información sobre el sistema

Propiedad Valor
Fabricante afectado GNU/Linux
Software afectado Evolution <= 2.12.3

Descripción

Se ha descubierto una vulnerabilidad en Evolution 2.12.3 y anteriores. La vulnerabilidad reside en un error de formato de cadena cuando se procesan mensajes cifrados. El error se encuentra en la función "emf_multipart_encrypted()" del fichero "mail/em-format.c".

Un atacante remoto podría ejecutar código arbitrario mediante un correo electrónico especialmente diseñado.

Solución



Actualización de software

Debian (DSA-1512-1)

Debian Linux 3.1
Source
http://security.debian.org/pool/updates/main/e/evolution/evolution_2.0.4-2sarge3.diff.gz
http://security.debian.org/pool/updates/main/e/evolution/evolution_2.0.4-2sarge3.dsc
http://security.debian.org/pool/updates/main/e/evolution/evolution_2.0.4.orig.tar.gz
amd64 (AMD x86_64 (AMD64))
http://security.debian.org/pool/updates/main/e/evolution/evolution-dev_2.0.4-2sarge3_amd64.deb
http://security.debian.org/pool/updates/main/e/evolution/evolution_2.0.4-2sarge3_amd64.deb
hppa (HP PA RISC)
http://security.debian.org/pool/updates/main/e/evolution/evolution-dev_2.0.4-2sarge3_hppa.deb
http://security.debian.org/pool/updates/main/e/evolution/evolution_2.0.4-2sarge3_hppa.deb
i386 (Intel ia32)
http://security.debian.org/pool/updates/main/e/evolution/evolution-dev_2.0.4-2sarge3_i386.deb
http://security.debian.org/pool/updates/main/e/evolution/evolution_2.0.4-2sarge3_i386.deb
ia64 (Intel ia64)
http://security.debian.org/pool/updates/main/e/evolution/evolution_2.0.4-2sarge3_ia64.deb
http://security.debian.org/pool/updates/main/e/evolution/evolution-dev_2.0.4-2sarge3_ia64.deb
powerpc (PowerPC)
http://security.debian.org/pool/updates/main/e/evolution/evolution-dev_2.0.4-2sarge3_powerpc.deb
http://security.debian.org/pool/updates/main/e/evolution/evolution_2.0.4-2sarge3_powerpc.deb
s390 (IBM S/390)
http://security.debian.org/pool/updates/main/e/evolution/evolution-dev_2.0.4-2sarge3_s390.deb
http://security.debian.org/pool/updates/main/e/evolution/evolution_2.0.4-2sarge3_s390.deb

Debian Linux 4.0
Source
http://security.debian.org/pool/updates/main/e/evolution/evolution_2.6.3.orig.tar.gz
http://security.debian.org/pool/updates/main/e/evolution/evolution_2.6.3-6etch2.dsc
http://security.debian.org/pool/updates/main/e/evolution/evolution_2.6.3-6etch2.diff.gz
Arquitectura independiente
http://security.debian.org/pool/updates/main/e/evolution/evolution-common_2.6.3-6etch2_all.deb
amd64 (AMD x86_64 (AMD64))
http://security.debian.org/pool/updates/main/e/evolution/evolution-dbg_2.6.3-6etch2_amd64.deb
http://security.debian.org/pool/updates/main/e/evolution/evolution_2.6.3-6etch2_amd64.deb
http://security.debian.org/pool/updates/main/e/evolution/evolution-plugins_2.6.3-6etch2_amd64.deb
http://security.debian.org/pool/updates/main/e/evolution/evolution-dev_2.6.3-6etch2_amd64.deb
http://security.debian.org/pool/updates/main/e/evolution/evolution-plugins-experimental_2.6.3-6etch2_amd64.deb
arm (ARM)
http://security.debian.org/pool/updates/main/e/evolution/evolution-dev_2.6.3-6etch2_arm.deb
http://security.debian.org/pool/updates/main/e/evolution/evolution-dbg_2.6.3-6etch2_arm.deb
http://security.debian.org/pool/updates/main/e/evolution/evolution_2.6.3-6etch2_arm.deb
http://security.debian.org/pool/updates/main/e/evolution/evolution-plugins-experimental_2.6.3-6etch2_arm.deb
http://security.debian.org/pool/updates/main/e/evolution/evolution-plugins_2.6.3-6etch2_arm.deb
hppa (HP PA RISC)
http://security.debian.org/pool/updates/main/e/evolution/evolution-dev_2.6.3-6etch2_hppa.deb
http://security.debian.org/pool/updates/main/e/evolution/evolution-dbg_2.6.3-6etch2_hppa.deb
http://security.debian.org/pool/updates/main/e/evolution/evolution_2.6.3-6etch2_hppa.deb
http://security.debian.org/pool/updates/main/e/evolution/evolution-plugins_2.6.3-6etch2_hppa.deb
http://security.debian.org/pool/updates/main/e/evolution/evolution-plugins-experimental_2.6.3-6etch2_hppa.deb
i386 (Intel ia32)
http://security.debian.org/pool/updates/main/e/evolution/evolution_2.6.3-6etch2_i386.deb
http://security.debian.org/pool/updates/main/e/evolution/evolution-dev_2.6.3-6etch2_i386.deb
http://security.debian.org/pool/updates/main/e/evolution/evolution-plugins-experimental_2.6.3-6etch2_i386.deb
http://security.debian.org/pool/updates/main/e/evolution/evolution-plugins_2.6.3-6etch2_i386.deb
http://security.debian.org/pool/updates/main/e/evolution/evolution-dbg_2.6.3-6etch2_i386.deb
ia64 (Intel ia64)
http://security.debian.org/pool/updates/main/e/evolution/evolution-plugins_2.6.3-6etch2_ia64.deb
http://security.debian.org/pool/updates/main/e/evolution/evolution_2.6.3-6etch2_ia64.deb
http://security.debian.org/pool/updates/main/e/evolution/evolution-plugins-experimental_2.6.3-6etch2_ia64.deb
http://security.debian.org/pool/updates/main/e/evolution/evolution-dev_2.6.3-6etch2_ia64.deb
http://security.debian.org/pool/updates/main/e/evolution/evolution-dbg_2.6.3-6etch2_ia64.deb
mips (MIPS (Big Endian))
http://security.debian.org/pool/updates/main/e/evolution/evolution-dev_2.6.3-6etch2_mips.deb
http://security.debian.org/pool/updates/main/e/evolution/evolution-dbg_2.6.3-6etch2_mips.deb
http://security.debian.org/pool/updates/main/e/evolution/evolution-plugins-experimental_2.6.3-6etch2_mips.deb
http://security.debian.org/pool/updates/main/e/evolution/evolution_2.6.3-6etch2_mips.deb
http://security.debian.org/pool/updates/main/e/evolution/evolution-plugins_2.6.3-6etch2_mips.deb
mipsel (MIPS (Little Endian))
http://security.debian.org/pool/updates/main/e/evolution/evolution-plugins-experimental_2.6.3-6etch2_mipsel.deb
http://security.debian.org/pool/updates/main/e/evolution/evolution-dev_2.6.3-6etch2_mipsel.deb
http://security.debian.org/pool/updates/main/e/evolution/evolution_2.6.3-6etch2_mipsel.deb
http://security.debian.org/pool/updates/main/e/evolution/evolution-plugins_2.6.3-6etch2_mipsel.deb
http://security.debian.org/pool/updates/main/e/evolution/evolution-dbg_2.6.3-6etch2_mipsel.deb
powerpc (PowerPC)
http://security.debian.org/pool/updates/main/e/evolution/evolution-plugins_2.6.3-6etch2_powerpc.deb
http://security.debian.org/pool/updates/main/e/evolution/evolution_2.6.3-6etch2_powerpc.deb
http://security.debian.org/pool/updates/main/e/evolution/evolution-dbg_2.6.3-6etch2_powerpc.deb
http://security.debian.org/pool/updates/main/e/evolution/evolution-dev_2.6.3-6etch2_powerpc.deb
http://security.debian.org/pool/updates/main/e/evolution/evolution-plugins-experimental_2.6.3-6etch2_powerpc.deb
s390 (IBM S/390)
http://security.debian.org/pool/updates/main/e/evolution/evolution-dev_2.6.3-6etch2_s390.deb
http://security.debian.org/pool/updates/main/e/evolution/evolution-dbg_2.6.3-6etch2_s390.deb
http://security.debian.org/pool/updates/main/e/evolution/evolution_2.6.3-6etch2_s390.deb
http://security.debian.org/pool/updates/main/e/evolution/evolution-plugins-experimental_2.6.3-6etch2_s390.deb
http://security.debian.org/pool/updates/main/e/evolution/evolution-plugins_2.6.3-6etch2_s390.deb
sparc (Sun SPARC/UltraSPARC)
http://security.debian.org/pool/updates/main/e/evolution/evolution-plugins_2.6.3-6etch2_sparc.deb
http://security.debian.org/pool/updates/main/e/evolution/evolution-dbg_2.6.3-6etch2_sparc.deb
http://security.debian.org/pool/updates/main/e/evolution/evolution-plugins-experimental_2.6.3-6etch2_sparc.deb
http://security.debian.org/pool/updates/main/e/evolution/evolution_2.6.3-6etch2_sparc.deb
http://security.debian.org/pool/updates/main/e/evolution/evolution-dev_2.6.3-6etch2_sparc.deb

Red Hat (RHSA-2008:0178-4)
Red Hat Enterprise Linux AS (v. 4.5.z)
Red Hat Enterprise Linux ES (v. 4.5.z)
https://rhn.redhat.com/

Red Hat (RHSA-2008:0177-3)
RHEL Desktop Workstation (v. 5 cliente)
RHEL Optional Productivity Applications (v. 5 servidor)
Red Hat Desktop (v. 4)
Red Hat Enterprise Linux AS (v. 4)
Red Hat Enterprise Linux Desktop (v. 5 cliente)
Red Hat Enterprise Linux ES (v. 4)
Red Hat Enterprise Linux WS (v. 4)
https://rhn.redhat.com/

Identificadores estándar

Propiedad Valor
CVE CVE-2008-0072
BID 28102

Recursos adicionales

Debian Security Advisory (DSA-1512-1)
http://lists.debian.org/debian-security-announce/2008/msg00076.html

Red Hat Security Advisory (RHSA-2008:0177-3)
http://rhn.redhat.com/errata/RHSA-2008-0177.html

Red Hat Security Advisory (RHSA-2008:0178-4)
http://rhn.redhat.com/errata/RHSA-2008-0178.html

Histórico de versiones

Versión Comentario Fecha
1.0 Aviso emitido 2008-03-06

Miembros de

Ministerio de Defensa
CNI
CCN
CCN-CERT