Description: "An issue was discovered in GNOME Evolution before 3.35.91. By using the proprietary (non-RFC6068) "mailto?attach=..." parameter, a website (or other source of mailto links) can make Evolution attach local files or directories to a composed email message without showing a warning to the user, as demonstrated by an attach=.bash_history value." Bug: https://gitlab.gnome.org/GNOME/evolution/issues/784 Patch: https://gitlab.gnome.org/GNOME/evolution/-/commit/6489f20d6905cc797e2b2581c415e558c457caa7
@maintainer(s), if possible, apply the provided patch. Let us know if it is not feasible.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=38193445919ae80cf0e16c18bf96a254dc49117c commit 38193445919ae80cf0e16c18bf96a254dc49117c Author: Mart Raudsepp <leio@gentoo.org> AuthorDate: 2020-04-17 18:20:52 +0000 Commit: Mart Raudsepp <leio@gentoo.org> CommitDate: 2020-04-17 18:21:09 +0000 mail-client/evolution: Fix CVE-2020-11879 Bug: https://bugs.gentoo.org/717932 Package-Manager: Portage-2.3.84, Repoman-2.3.20 Signed-off-by: Mart Raudsepp <leio@gentoo.org> mail-client/evolution/evolution-3.34.4-r1.ebuild | 155 +++++++++++++++++++++ .../evolution/files/3.34.4-CVE-2020-11879.patch | 122 ++++++++++++++++ 2 files changed, 277 insertions(+)
amd64 stable
x86 stable. Maintainer(s), please cleanup. Security, please vote.