Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 258867 (CVE-2009-0547) - <gnome-extra/evolution-data-server-2.24.5-r3 S/MIME signature spoofing (CVE-2009-0547)
Summary: <gnome-extra/evolution-data-server-2.24.5-r3 S/MIME signature spoofing (CVE-2...
Alias: CVE-2009-0547
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High minor (vote)
Assignee: Gentoo Security
Whiteboard: A4 [noglsa]
Depends on:
Blocks: gnome2.24
  Show dependency tree
Reported: 2009-02-13 17:45 UTC by Robert Buchholz (RETIRED)
Modified: 2014-05-31 19:58 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Robert Buchholz (RETIRED) gentoo-dev 2009-02-13 17:45:24 UTC
CVE-2009-0547 (
  Evolution checks S/MIME signatures against a copy of the
  e-mail text within a signed-data blob, not the copy of the e-mail
  text displayed to the user, which allows remote attackers to spoof a
  signature by modifying the latter copy, a different vulnerability
  than CVE-2008-5077.
Comment 1 Robert Buchholz (RETIRED) gentoo-dev 2009-02-27 16:26:15 UTC
Comment 2 Daniel Gryniewicz (RETIRED) gentoo-dev 2009-02-27 20:09:50 UTC
I have backported versions of this; however, all my s/mime signed messages are failing now.  I've commented on the upstream bug, and will wait to commit until they respond.
Comment 3 Daniel Gryniewicz (RETIRED) gentoo-dev 2009-03-07 20:57:17 UTC
Okay, upstream as re-fixed this, and I've verified it.  Committed as:


2.24.5 is being stabilized as part of bug #260063 so this bug interacts with that one.
Comment 4 Robert Buchholz (RETIRED) gentoo-dev 2009-03-08 02:28:57 UTC
Arches, please test and mark stable (depending on your state of bug 260063):

Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 sparc x86"
Comment 5 Markus Meier gentoo-dev 2009-03-08 14:23:53 UTC
building evolution with 2.22.3-r2 fails here (builds fine with gnome-extra/evolution-data-server-2.22.3-r1):

i686-pc-linux-gnu-gcc -O2 -march=i686 -pipe -Wall -Wmissing-prototypes -Wno-sign-compare -Wl,-O1 -o .libs/test-calendar test-calendar.o -pthread  ./.libs/ ../../e-util/.libs/ /usr/lib/ /usr/lib/ /usr/lib/ /usr/lib/ /usr/lib/ /usr/lib/ /usr/lib/ /usr/lib/ /usr/lib/ /usr/lib/ /usr/lib/ /usr/lib/ /usr/lib/ /usr/lib/ /usr/lib/ /usr/lib/ /usr/lib/ /usr/lib/ /usr/lib/ /usr/lib/ /usr/lib/ /usr/lib/ /usr/lib/ /usr/lib/ /usr/lib/ -ldl /usr/lib/ /usr/lib/ -lrt /usr/lib/ /usr/lib/ -Wl,--rpath -Wl,/usr/lib/evolution/2.22
/usr/lib/ undefined reference to `set_nss_error'
collect2: ld returned 1 exit status
make[3]: *** [test-calendar] Error 1
make[3]: *** Waiting for unfinished jobs....
Comment 6 Tobias Klausmann gentoo-dev 2009-03-08 18:30:04 UTC
I get the same error on alpha.
Comment 7 Daniel Gryniewicz (RETIRED) gentoo-dev 2009-03-08 20:59:48 UTC
Sorry, It didn't occur to me to rebuild evo against it.  I've fixed both the 2.22 and the 2.24 versions, and test built evo against them.
Comment 8 Markus Meier gentoo-dev 2009-03-09 21:15:16 UTC
amd64/x86 stable
Comment 9 Brent Baude (RETIRED) gentoo-dev 2009-03-11 13:52:10 UTC
ppc64 done
Comment 10 Tobias Klausmann gentoo-dev 2009-03-12 21:42:02 UTC
Both stable on alpha.
Comment 11 Raúl Porcel (RETIRED) gentoo-dev 2009-03-18 18:49:43 UTC
ia64 stable for both, sparc only for 2.22, since 2.24 sigbuses and stuff...
Comment 12 Brent Baude (RETIRED) gentoo-dev 2009-03-18 21:19:38 UTC
ppc done
Comment 13 Jeroen Roovers (RETIRED) gentoo-dev 2009-03-19 02:12:04 UTC
=gnome-extra/evolution-data-server-2.22.3-r2 stable for HPPA. GNOME 2.24 will happen in due time.
Comment 14 Jacek 2009-03-21 13:41:16 UTC
after patch CVE-2009-0547 my evo doesn't show properly some smime signed messages. It only shows "Digests missing from enveloped data". So I checked 2.24.5-r1 2.24.5-r2 and 2.24.5. 2.24.5 works ok. Then I commented out patch CVE-2009-0547 from 2.24.5-r2 ebuild and now every messages are visible.
Could you explain what is wrong with this patch or my emails?
Comment 15 Robert Buchholz (RETIRED) gentoo-dev 2009-04-02 07:21:31 UTC
There's been a regression due to the patch, upstream has committed a revised version.
Comment 16 Robert Buchholz (RETIRED) gentoo-dev 2009-07-10 10:50:34 UTC
The regression has been fixed in this commit:

gnome, can you update the patch so we can re-stable ? Thanks!
Comment 17 Gilles Dartiguelongue gentoo-dev 2009-07-22 21:22:14 UTC
(In reply to comment #16)
> The regression has been fixed in this commit:
> gnome, can you update the patch so we can re-stable ? Thanks!

in 2.24.5-r3, sorry for taking so long.
Comment 18 Robert Buchholz (RETIRED) gentoo-dev 2009-07-23 09:19:31 UTC
Arches, please test and mark stable:
Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 sparc x86"
Comment 19 Christian Faulhammer (RETIRED) gentoo-dev 2009-07-23 20:28:34 UTC
x86 stable
Comment 20 Joe Jezak (RETIRED) gentoo-dev 2009-07-25 03:23:12 UTC
Marked ppc/ppc64 stable.
Comment 21 Jeroen Roovers (RETIRED) gentoo-dev 2009-07-26 03:54:39 UTC
Stable for HPPA.
Comment 22 Markus Meier gentoo-dev 2009-07-29 21:33:01 UTC
amd64 stable
Comment 23 Raúl Porcel (RETIRED) gentoo-dev 2009-08-02 10:47:52 UTC
alpha/arm/ia64/sparc stable
Comment 24 Tobias Heinlein (RETIRED) gentoo-dev 2009-08-02 14:21:43 UTC
GLSA con bug 261203.
Comment 25 Gilles Dartiguelongue gentoo-dev 2010-01-24 22:34:22 UTC
ping ? all of gnome 2.24 is going away soon.
Comment 26 Sean Amoss (RETIRED) gentoo-dev Security 2014-05-31 19:58:31 UTC
This issue has been fixed since Aug 02, 2009. No GLSA will be issued.