According to Harish, evolution maintainer, there was a vulnerability in evolution mailto: URI handler and Composer behaviour. This has been fixed in the latest release 2.4.2.1 and is discussed in the access restricted gnome bug : http://bugs.gnome.org/show_bug.cgi?id=323129 . I'm working on us getting access to the bug. Harish told me the following about this bug : "well...not a huge one really...yes it is in the ChangeLog but w/o overtly saying it is a security risk just that there is one way where in an attachment could be added to a mail w/o it showing up in the UI" "so the bug is actually this - if you execute 'evolution-2.4 "mailto:kharish@novell.com?attach=.gnome2_private/Evolution"' the UI does not indicate that the mail has an attachment being sent too.." In short, a local user can be sending attachments without knowing about them. Reproducible: Always Steps to Reproduce: 1. 2. 3.
We're working on adding evolution-2.4.2.1 to the tree now, we'll let you know when it is in.
fixed version now in portage, had to make a patch, its now upstream @ http://bugzilla.gnome.org/show_bug.cgi?id=323580
Fixed ebuild in portage, vulnerable package was never marked stable so i'm closing without GLSA. Thx to everybody involved.
sorry, forgot to edit whiteboard</ashamed>