Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 717932 (CVE-2020-11879)

Summary: <mail-client/evolution-3.34.4-r1: Possible disclosure of local files by attachments (CVE-2020-11879)
Product: Gentoo Security Reporter: Sam James <sam>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Severity: minor CC: gnome
Priority: Normal Flags: nattka: sanity-check+
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: B4 [noglsa cve]
Package list:
Runtime testing required: ---

Description Sam James archtester gentoo-dev Security 2020-04-17 18:05:30 UTC
"An issue was discovered in GNOME Evolution before 3.35.91. By using the proprietary (non-RFC6068) "mailto?attach=..." parameter, a website (or other source of mailto links) can make Evolution attach local files or directories to a composed email message without showing a warning to the user, as demonstrated by an attach=.bash_history value."

Comment 1 Sam James archtester gentoo-dev Security 2020-04-17 18:06:30 UTC
@maintainer(s), if possible, apply the provided patch. Let us know if it is not feasible.
Comment 2 Larry the Git Cow gentoo-dev 2020-04-17 18:21:41 UTC
The bug has been referenced in the following commit(s):

commit 38193445919ae80cf0e16c18bf96a254dc49117c
Author:     Mart Raudsepp <>
AuthorDate: 2020-04-17 18:20:52 +0000
Commit:     Mart Raudsepp <>
CommitDate: 2020-04-17 18:21:09 +0000

    mail-client/evolution: Fix CVE-2020-11879
    Package-Manager: Portage-2.3.84, Repoman-2.3.20
    Signed-off-by: Mart Raudsepp <>

 mail-client/evolution/evolution-3.34.4-r1.ebuild   | 155 +++++++++++++++++++++
 .../evolution/files/3.34.4-CVE-2020-11879.patch    | 122 ++++++++++++++++
 2 files changed, 277 insertions(+)
Comment 3 Agostino Sarubbo gentoo-dev 2020-04-22 17:01:29 UTC
amd64 stable
Comment 4 Agostino Sarubbo gentoo-dev 2020-04-23 06:31:18 UTC
x86 stable.

Maintainer(s), please cleanup.
Security, please vote.