Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 717932 (CVE-2020-11879) - <mail-client/evolution-3.34.4-r1: Possible disclosure of local files by attachments (CVE-2020-11879)
Summary: <mail-client/evolution-3.34.4-r1: Possible disclosure of local files by attac...
Alias: CVE-2020-11879
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
Whiteboard: B4 [noglsa cve]
Depends on:
Reported: 2020-04-17 18:05 UTC by Sam James
Modified: 2020-05-03 23:39 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---
nattka: sanity-check+


Note You need to log in before you can comment on or make changes to this bug.
Description Sam James archtester gentoo-dev Security 2020-04-17 18:05:30 UTC
"An issue was discovered in GNOME Evolution before 3.35.91. By using the proprietary (non-RFC6068) "mailto?attach=..." parameter, a website (or other source of mailto links) can make Evolution attach local files or directories to a composed email message without showing a warning to the user, as demonstrated by an attach=.bash_history value."

Comment 1 Sam James archtester gentoo-dev Security 2020-04-17 18:06:30 UTC
@maintainer(s), if possible, apply the provided patch. Let us know if it is not feasible.
Comment 2 Larry the Git Cow gentoo-dev 2020-04-17 18:21:41 UTC
The bug has been referenced in the following commit(s):

commit 38193445919ae80cf0e16c18bf96a254dc49117c
Author:     Mart Raudsepp <>
AuthorDate: 2020-04-17 18:20:52 +0000
Commit:     Mart Raudsepp <>
CommitDate: 2020-04-17 18:21:09 +0000

    mail-client/evolution: Fix CVE-2020-11879
    Package-Manager: Portage-2.3.84, Repoman-2.3.20
    Signed-off-by: Mart Raudsepp <>

 mail-client/evolution/evolution-3.34.4-r1.ebuild   | 155 +++++++++++++++++++++
 .../evolution/files/3.34.4-CVE-2020-11879.patch    | 122 ++++++++++++++++
 2 files changed, 277 insertions(+)
Comment 3 Agostino Sarubbo gentoo-dev 2020-04-22 17:01:29 UTC
amd64 stable
Comment 4 Agostino Sarubbo gentoo-dev 2020-04-23 06:31:18 UTC
x86 stable.

Maintainer(s), please cleanup.
Security, please vote.