Secunia reports: A format string error in the "emf_multipart_encrypted()" function in mail/em-format.c when displaying the "Version:" field from an encrypted e-mail message can be exploited to execute arbitrary code via a specially crafted e-mail message. Successful exploitation requires that the user opens a malicious e-mail message. ... We have assigned this vulnerability Secunia advisory SA29057 and the CVE identifier CVE-2008-0072. Credits should go to: Ulf Harnhammar, Secunia Research.
Daniel, Gilles, this issue is under embargo until 2008-03-19 10am CET. Do not commit anything to CVS until this date. Please prepare an updated ebuild and attach it to this bug, we will do prestable testing here. Thanks.
Created attachment 145259 [details, diff] evolution-CVE-2008-0072.diff Upstream patch
Embargo date was *advanced* to be tomorrow.
Created attachment 145266 [details] evolution-2.12.3-r1.ebuild full ebuild as asked by rbu.
Arch Security Liaisons, please test the attached ebuild and report it stable on this bug. Please note that this issue will be public tomorrow morning. Thanks. Target keywords : "alpha amd64 hppa ia64 ppc ppc64 release sparc x86" CC'ing current Liaisons: alpha : ferdy amd64 : welp hppa : jer ppc : dertobi123 ppc64 : corsair release : pva sparc : fmccor x86 : opfer
As for HPPA: for reasons evolution takes around 3 hours to build on a 625MHz PA8700 (C3650)[1] and the build is not nearly halfway through. I'll be off to work before it finishes, so you can expect me to report back with some test results in about 9 hours from now (and no sooner). [1] I am currently building mail-client/evolution on a comparable Pentium III at 833MHz to see if the HPPA build time is indeed overly long.
Calendar and Tasks: * import of big ICS...check * import of tasks...check * modifying tasks and events...check Mail: * IMAP...check * SMTP...check * POP3...check Good to go on x86
Looks fine on alpha/ia64/sparc
Looks good on amd64.
jer, it compiles a while on my core2 too, no worries.
was cool for ppc64 here too
(In reply to comment #10) > jer, it compiles a while on my core2 too, no worries. Takes ~2 hours on the Pentium III, so I guess that's normal. Anyway, it appears to be good for HPPA.
Committed ebuild at 10:05am CET. Patch extension renamed from diff to patch to be the same as every new GNOME packages patch and explanation added on top of the patch as I like to do for future easy seeing what a given patch is for. Tested to work good on amd64 as well. +*evolution-2.12.3-r1 (05 Mar 2008) + + 05 Mar 2008; Mart Raudsepp <leio@gentoo.org> + +files/evolution-CVE-2008-0072.patch, +evolution-2.12.3-r1.ebuild: + Security fix for "Encrypted Message Version Format String Vulnerability". + Stable on alpha, amd64, hppa, ia64, ppc64, sparc and x86 +
Thank you guys for the fast work. Target keywords : "alpha amd64 hppa ia64 ppc ppc64 release sparc x86" Already stabled : "alpha amd64 hppa ia64 ppc64 sparc x86" Missing keywords: "ppc release"
ppc stable, ready for glsa
request filed
GLSA 200803-12
Fixed in release snapshot.