270334 – (CVE-2009-1631) <mail-client/evolution-2.30.2-r1: ~/.evolution is world-readable (CVE-2009-1631)

Bug 270334 (CVE-2009-1631) - <mail-client/evolution-2.30.2-r1: ~/.evolution is world-readable (CVE-2009-1631)

Summary: <mail-client/evolution-2.30.2-r1: ~/.evolution is world-readable (CVE-2009-1631)

Status:	RESOLVED FIXED

Alias:	CVE-2009-1631

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	High minor (vote)
Assignee:	Gentoo Security

URL:	https://bugzilla.redhat.com/show_bug....
Whiteboard:	B4 [noglsa]
Keywords:

Depends on:	324077
Blocks:
	Show dependency tree

Reported:	2009-05-18 17:51 UTC by Robert Buchholz (RETIRED)
Modified:	2011-01-02 19:27 UTC (History)
CC List:	1 user (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Robert Buchholz (RETIRED) gentoo-dev

2009-05-18 17:51:57 UTC

CVE-2009-1631 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-1631):
  The Mailer component in Evolution 2.26.1 and earlier uses
  world-readable permissions for the .evolution directory, and certain
  directories and files under .evolution/ related to local mail, which
  allows local users to obtain sensitive information by reading these
  files.

Comment 1 Alex Legler (RETIRED) archtester

2009-08-14 11:03:06 UTC

There is no fix yet as per http://bugzilla.gnome.org/show_bug.cgi?id=581604. Resetting status whiteboard.

Comment 2 Gilles Dartiguelongue (RETIRED) gentoo-dev

2010-04-03 11:37:47 UTC

upstream had a fix commited to 2.30.

Comment 3 Gilles Dartiguelongue (RETIRED) gentoo-dev

2010-08-31 08:04:31 UTC

2.30 has been in tree for a couple of weeks now.

Comment 4 Stefan Behte (RETIRED) gentoo-dev

2010-09-22 22:59:59 UTC

Is it ok to go stable now?

Comment 5 Gilles Dartiguelongue (RETIRED) gentoo-dev

2010-09-23 07:55:32 UTC

well, it's already being tracked in gnome 2.30 stabilization request (bug #324077), so yes :)

Comment 6 Tim Sammut (RETIRED) gentoo-dev

2011-01-02 04:54:36 UTC

Stablization completed in 324077. GLSA Vote: No.

Comment 7 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2011-01-02 19:10:22 UTC

Old -> GLSA Vote: No.

Comment 8 Tim Sammut (RETIRED) gentoo-dev

2011-01-02 19:27:31 UTC

(In reply to comment #7)
> Old -> GLSA Vote: No.
> 

Thank you. Closing noglsa.