CVE-2009-0547 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-0547): Evolution 2.22.3.1 checks S/MIME signatures against a copy of the e-mail text within a signed-data blob, not the copy of the e-mail text displayed to the user, which allows remote attackers to spoof a signature by modifying the latter copy, a different vulnerability than CVE-2008-5077.
patch: http://svn.gnome.org/viewvc/evolution-data-server?view=revision&revision=10106
I have backported versions of this; however, all my s/mime signed messages are failing now. I've commented on the upstream bug, and will wait to commit until they respond.
Okay, upstream as re-fixed this, and I've verified it. Committed as: evolution-2.24.5-r1 evolution-2.22.3-r2 2.24.5 is being stabilized as part of bug #260063 so this bug interacts with that one.
Arches, please test and mark stable (depending on your state of bug 260063): =gnome-extra/evolution-data-server-2.22.3-r2 =gnome-extra/evolution-data-server-2.24.5-r1 Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 sparc x86"
building evolution with 2.22.3-r2 fails here (builds fine with gnome-extra/evolution-data-server-2.22.3-r1): i686-pc-linux-gnu-gcc -O2 -march=i686 -pipe -Wall -Wmissing-prototypes -Wno-sign-compare -Wl,-O1 -o .libs/test-calendar test-calendar.o -pthread ./.libs/libemiscwidgets.so ../../e-util/.libs/libeutil.so /usr/lib/libgnomeui-2.so /usr/lib/libSM.so /usr/lib/libICE.so /usr/lib/libbonoboui-2.so /usr/lib/libgnomevfs-2.so /usr/lib/libgnomecanvas-2.so /usr/lib/libart_lgpl_2.so /usr/lib/libedataserverui-1.2.so /usr/lib/libglade-2.0.so /usr/lib/libebook-1.2.so /usr/lib/libgtk-x11-2.0.so /usr/lib/libgdk-x11-2.0.so /usr/lib/libatk-1.0.so /usr/lib/libgdk_pixbuf-2.0.so /usr/lib/libpangocairo-1.0.so /usr/lib/libpango-1.0.so /usr/lib/libcairo.so /usr/lib/libgnome-2.so /usr/lib/libpopt.so /usr/lib/libedataserver-1.2.so /usr/lib/libxml2.so /usr/lib/libgconf-2.so /usr/lib/libbonobo-2.so /usr/lib/libbonobo-activation.so /usr/lib/libgmodule-2.0.so -ldl /usr/lib/libORBit-2.so /usr/lib/libgthread-2.0.so -lrt /usr/lib/libgobject-2.0.so /usr/lib/libglib-2.0.so -Wl,--rpath -Wl,/usr/lib/evolution/2.22 /usr/lib/libcamel-provider-1.2.so.11: undefined reference to `set_nss_error' collect2: ld returned 1 exit status make[3]: *** [test-calendar] Error 1 make[3]: *** Waiting for unfinished jobs....
I get the same error on alpha.
Sorry, It didn't occur to me to rebuild evo against it. I've fixed both the 2.22 and the 2.24 versions, and test built evo against them.
amd64/x86 stable
ppc64 done
Both stable on alpha.
ia64 stable for both, sparc only for 2.22, since 2.24 sigbuses and stuff...
ppc done
=gnome-extra/evolution-data-server-2.22.3-r2 stable for HPPA. GNOME 2.24 will happen in due time.
after patch CVE-2009-0547 my evo doesn't show properly some smime signed messages. It only shows "Digests missing from enveloped data". So I checked 2.24.5-r1 2.24.5-r2 and 2.24.5. 2.24.5 works ok. Then I commented out patch CVE-2009-0547 from 2.24.5-r2 ebuild and now every messages are visible. Could you explain what is wrong with this patch or my emails?
There's been a regression due to the patch, upstream has committed a revised version.
The regression has been fixed in this commit: http://svn.gnome.org/viewvc/evolution-data-server?view=revision&revision=10194 gnome, can you update the patch so we can re-stable ? Thanks!
(In reply to comment #16) > The regression has been fixed in this commit: > http://svn.gnome.org/viewvc/evolution-data-server?view=revision&revision=10194 > > gnome, can you update the patch so we can re-stable ? Thanks! > in 2.24.5-r3, sorry for taking so long.
Arches, please test and mark stable: =gnome-extra/evolution-data-server-2.24.5-r3 Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 sparc x86"
x86 stable
Marked ppc/ppc64 stable.
Stable for HPPA.
amd64 stable
alpha/arm/ia64/sparc stable
GLSA con bug 261203.
ping ? all of gnome 2.24 is going away soon.
This issue has been fixed since Aug 02, 2009. No GLSA will be issued.