Summary: | mail-client/evolution < 2.12-3-r2 iCalendar Buffer Overflow Vulnerabilities (CVE-2008-{1108,1109}) | ||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Product: | Gentoo Security | Reporter: | Matthias Geerdsen (RETIRED) <vorlon> | ||||||||||||||
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> | ||||||||||||||
Status: | RESOLVED FIXED | ||||||||||||||||
Severity: | normal | CC: | gnome | ||||||||||||||
Priority: | High | ||||||||||||||||
Version: | unspecified | ||||||||||||||||
Hardware: | All | ||||||||||||||||
OS: | Linux | ||||||||||||||||
URL: | http://secunia.com/advisories/30298/ | ||||||||||||||||
Whiteboard: | B2 [glsa] | ||||||||||||||||
Package list: | Runtime testing required: | --- | |||||||||||||||
Attachments: |
|
Description
Matthias Geerdsen (RETIRED)
2008-05-28 15:02:15 UTC
Created attachment 154593 [details, diff]
patch for CVE-2008-1108 (2.22.1)
Created attachment 154595 [details, diff]
patch for CVE-2008-1109 (2.22.1)
2.22.2 and 2.23.2 are vulnerable. I could also reproduce the issue with our stable 2.12.3. I'll attach the patches with clean whitespaces, as the ones above do not apply. If you can, please prepare an ebuild for prestabling. Created attachment 154927 [details]
evolution-2.12.3-CVE-2008-1108.patch
Created attachment 154929 [details]
evolution-2.12.3-CVE-2008-1109.patch
Created attachment 154995 [details, diff]
evolution-2.12.3.patch
patch for 2.12.3 ebuild
Created attachment 154999 [details, diff]
evolution-2.22.2.patch
patch to 2.22.2 ebuild. The first set of patch would need to match the scheme of the second sed of patch to apply properly.
Arch Security Liaisons, please test the attached ebuild and report it stable on this bug. Security only cared about the (to come)evolution-2.12.3-r2 ebuild. Target keywords : "alpha amd64 hppa ia64 ppc ppc64 release sparc x86" CC'ing current Liaisons: alpha : yoswink amd64 : welp hppa : jer ppc : dertobi123 ppc64 : corsair release : pva sparc : fmccor x86 : opfer x86 good to go looks good on ppc64 HPPA is OK. Looks okay on alpha/ia64/sparc also looks good on ppc Looks good to go on amd64, too Is this 10am CET or CEST? :) public as per $URL. removing arch liaisons and moving to glsa part. please commit the ebuild with stable keywords gathered. evolution-2.22.2-r1 and evolution-2.12.3-r2 has been committed to portage tree, with the gathered stable keywords for the latter, which just leaves release@. CCing them Fixed in release snapshot. GLSA 200806-06 Is anybody coordinating with upstream? (In reply to comment #21) > Is anybody coordinating with upstream? Can you elaborate? |