ID CVE-2009-0587
Summary Multiple integer overflows in Evolution Data Server (aka evolution-data-server) before 2.24.5 allow context-dependent attackers to execute arbitrary code via a long string that is converted to a base64 representation in (1) addressbook/libebook/e-vcard.c in evc or (2) camel/camel-mime-utils.c in libcamel.
References
Vulnerable Configurations
  • cpe:2.3:a:go-evolution:evolution-data-server:2.24.4
    cpe:2.3:a:go-evolution:evolution-data-server:2.24.4
CVSS
Base: 7.5 (as of 15-03-2009 - 16:41)
Impact:
Exploitability:
CWE CWE-189
CAPEC
Access
VectorComplexityAuthentication
NETWORK LOW NONE
Impact
ConfidentialityIntegrityAvailability
PARTIAL PARTIAL PARTIAL
nessus via4
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DSA-1813.NASL
    description Several vulnerabilities have been found in evolution-data-server, the database backend server for the evolution groupware suite. The Common Vulnerabilities and Exposures project identifies the following problems : - CVE-2009-0587 It was discovered that evolution-data-server is prone to integer overflows triggered by large base64 strings. - CVE-2009-0547 Joachim Breitner discovered that S/MIME signatures are not verified properly, which can lead to spoofing attacks. - CVE-2009-0582 It was discovered that NTLM authentication challenge packets are not validated properly when using the NTLM authentication method, which could lead to an information disclosure or a denial of service.
    last seen 2019-02-21
    modified 2018-11-28
    plugin id 39334
    published 2009-06-09
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=39334
    title Debian DSA-1813-1 : evolution-data-server - Several vulnerabilities
  • NASL family CentOS Local Security Checks
    NASL id CENTOS_RHSA-2009-0354.NASL
    description Updated evolution-data-server and evolution28-evolution-data-server packages that fix multiple security issues are now available for Red Hat Enterprise Linux 4 and 5. This update has been rated as having moderate security impact by the Red Hat Security Response Team. Evolution Data Server provides a unified back-end for applications which interact with contacts, task, and calendar information. Evolution Data Server was originally developed as a back-end for Evolution, but is now used by multiple other applications. Evolution Data Server did not properly check the Secure/Multipurpose Internet Mail Extensions (S/MIME) signatures used for public key encryption and signing of e-mail messages. An attacker could use this flaw to spoof a signature by modifying the text of the e-mail message displayed to the user. (CVE-2009-0547) It was discovered that Evolution Data Server did not properly validate NTLM (NT LAN Manager) authentication challenge packets. A malicious server using NTLM authentication could cause an application using Evolution Data Server to disclose portions of its memory or crash during user authentication. (CVE-2009-0582) Multiple integer overflow flaws which could cause heap-based buffer overflows were found in the Base64 encoding routines used by Evolution Data Server. This could cause an application using Evolution Data Server to crash, or, possibly, execute an arbitrary code when large untrusted data blocks were Base64-encoded. (CVE-2009-0587) All users of evolution-data-server and evolution28-evolution-data-server are advised to upgrade to these updated packages, which contain backported patches to correct these issues. All running instances of Evolution Data Server and applications using it (such as Evolution) must be restarted for the update to take effect.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 38893
    published 2009-05-26
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=38893
    title CentOS 4 : evolution-data-server (CESA-2009:0354)
  • NASL family Mandriva Local Security Checks
    NASL id MANDRIVA_MDVSA-2009-078.NASL
    description A wrong handling of signed Secure/Multipurpose Internet Mail Extensions (S/MIME) e-mail messages enables attackers to spoof its signatures by modifying the latter copy (CVE-2009-0547). Crafted authentication challange packets (NT Lan Manager type 2) sent by a malicious remote mail server enables remote attackers either to cause denial of service and to read information from the process memory of the client (CVE-2009-0582). Multiple integer overflows in Base64 encoding functions enables attackers either to cause denial of service and to execute arbitrary code (CVE-2009-0587). This update provides fixes for those vulnerabilities. Update : evolution-data-server packages from Mandriva Linux distributions 2008.1 and 2009.0 are not affected by CVE-2009-0587.
    last seen 2019-02-21
    modified 2018-07-19
    plugin id 37259
    published 2009-04-23
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=37259
    title Mandriva Linux Security Advisory : evolution-data-server (MDVSA-2009:078)
  • NASL family Scientific Linux Local Security Checks
    NASL id SL_20090316_EVOLUTION_DATA_SERVER_ON_SL5_X.NASL
    description Evolution Data Server did not properly check the Secure/Multipurpose Internet Mail Extensions (S/MIME) signatures used for public key encryption and signing of e-mail messages. An attacker could use this flaw to spoof a signature by modifying the text of the e-mail message displayed to the user. (CVE-2009-0547) It was discovered that Evolution Data Server did not properly validate NTLM (NT LAN Manager) authentication challenge packets. A malicious server using NTLM authentication could cause an application using Evolution Data Server to disclose portions of its memory or crash during user authentication. (CVE-2009-0582) Multiple integer overflow flaws which could cause heap-based buffer overflows were found in the Base64 encoding routines used by Evolution Data Server. This could cause an application using Evolution Data Server to crash, or, possibly, execute an arbitrary code when large untrusted data blocks were Base64-encoded. (CVE-2009-0587) All running instances of Evolution Data Server and applications using it (such as Evolution) must be restarted for the update to take effect.
    last seen 2019-02-21
    modified 2019-01-02
    plugin id 60545
    published 2012-08-01
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=60545
    title Scientific Linux Security Update : evolution-data-server on SL5.x i386/x86_64
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-733-1.NASL
    description It was discovered that the Base64 encoding functions in evolution-data-server did not properly handle large strings. If a user were tricked into opening a specially crafted image file, or tricked into connecting to a malicious server, an attacker could possibly execute arbitrary code with user privileges. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-11-28
    plugin id 36746
    published 2009-04-23
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=36746
    title Ubuntu 6.06 LTS / 7.10 : evolution-data-server vulnerability (USN-733-1)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_11_EVOLUTION-DATA-SERVER-100208.NASL
    description This update fixes the following vulnerability : evolution considered S/MIME signatures to be valid even for modified mails. (CVE-2009-0547: CVSS v2 Base Score: 5.0) Additionally the following bug has been fixed : - A POP3 server sending overly long lines could crash evolution.
    last seen 2019-02-21
    modified 2016-12-21
    plugin id 45036
    published 2010-03-11
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=45036
    title SuSE 11 Security Update : evolution-data-server (SAT Patch Number 1944)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_EVOLUTION-DATA-SERVER-7029.NASL
    description The following bugs have been fixed : evolution considered S/MIME signatures to be valid even for modified mails (CVE-2009-0547). specially crafted base64 encoded messages could cause a heap buffer overflow (CVE-2009-0587). A POP3 server sending overly long lines could crash evolution.
    last seen 2019-02-21
    modified 2016-12-22
    plugin id 49847
    published 2010-10-11
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=49847
    title SuSE 10 Security Update : evolution-data-server (ZYPP Patch Number 7029)
  • NASL family CentOS Local Security Checks
    NASL id CENTOS_RHSA-2009-0358.NASL
    description Updated evolution packages that fixes multiple security issues are now available for Red Hat Enterprise Linux 3. This update has been rated as having moderate security impact by the Red Hat Security Response Team. Evolution is the integrated collection of e-mail, calendaring, contact management, communications, and personal information management (PIM) tools for the GNOME desktop environment. It was discovered that evolution did not properly validate NTLM (NT LAN Manager) authentication challenge packets. A malicious server using NTLM authentication could cause evolution to disclose portions of its memory or crash during user authentication. (CVE-2009-0582) An integer overflow flaw which could cause heap-based buffer overflow was found in the Base64 encoding routine used by evolution. This could cause evolution to crash, or, possibly, execute an arbitrary code when large untrusted data blocks were Base64-encoded. (CVE-2009-0587) All users of evolution are advised to upgrade to these updated packages, which contain backported patches to correct these issues. All running instances of evolution must be restarted for the update to take effect.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 35931
    published 2009-03-17
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=35931
    title CentOS 3 : evolution (CESA-2009:0358)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2009-0355.NASL
    description Updated evolution and evolution-data-server packages that fixes multiple security issues are now available for Red Hat Enterprise Linux 4. This update has been rated as having moderate security impact by the Red Hat Security Response Team. Evolution is the integrated collection of e-mail, calendaring, contact management, communications, and personal information management (PIM) tools for the GNOME desktop environment. Evolution Data Server provides a unified back-end for applications which interact with contacts, task and calendar information. Evolution Data Server was originally developed as a back-end for Evolution, but is now used by multiple other applications. Evolution did not properly check the Secure/Multipurpose Internet Mail Extensions (S/MIME) signatures used for public key encryption and signing of e-mail messages. An attacker could use this flaw to spoof a signature by modifying the text of the e-mail message displayed to the user. (CVE-2009-0547) It was discovered that evolution did not properly validate NTLM (NT LAN Manager) authentication challenge packets. A malicious server using NTLM authentication could cause evolution to disclose portions of its memory or crash during user authentication. (CVE-2009-0582) Multiple integer overflow flaws which could cause heap-based buffer overflows were found in the Base64 encoding routines used by evolution and evolution-data-server. This could cause evolution, or an application using evolution-data-server, to crash, or, possibly, execute an arbitrary code when large untrusted data blocks were Base64-encoded. (CVE-2009-0587) All users of evolution and evolution-data-server are advised to upgrade to these updated packages, which contain backported patches to correct these issues. All running instances of evolution and evolution-data-server must be restarted for the update to take effect.
    last seen 2019-02-21
    modified 2018-11-27
    plugin id 35946
    published 2009-03-17
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=35946
    title RHEL 4 : evolution and evolution-data-server (RHSA-2009:0355)
  • NASL family Oracle Linux Local Security Checks
    NASL id ORACLELINUX_ELSA-2009-0355.NASL
    description From Red Hat Security Advisory 2009:0355 : Updated evolution and evolution-data-server packages that fixes multiple security issues are now available for Red Hat Enterprise Linux 4. This update has been rated as having moderate security impact by the Red Hat Security Response Team. Evolution is the integrated collection of e-mail, calendaring, contact management, communications, and personal information management (PIM) tools for the GNOME desktop environment. Evolution Data Server provides a unified back-end for applications which interact with contacts, task and calendar information. Evolution Data Server was originally developed as a back-end for Evolution, but is now used by multiple other applications. Evolution did not properly check the Secure/Multipurpose Internet Mail Extensions (S/MIME) signatures used for public key encryption and signing of e-mail messages. An attacker could use this flaw to spoof a signature by modifying the text of the e-mail message displayed to the user. (CVE-2009-0547) It was discovered that evolution did not properly validate NTLM (NT LAN Manager) authentication challenge packets. A malicious server using NTLM authentication could cause evolution to disclose portions of its memory or crash during user authentication. (CVE-2009-0582) Multiple integer overflow flaws which could cause heap-based buffer overflows were found in the Base64 encoding routines used by evolution and evolution-data-server. This could cause evolution, or an application using evolution-data-server, to crash, or, possibly, execute an arbitrary code when large untrusted data blocks were Base64-encoded. (CVE-2009-0587) All users of evolution and evolution-data-server are advised to upgrade to these updated packages, which contain backported patches to correct these issues. All running instances of evolution and evolution-data-server must be restarted for the update to take effect.
    last seen 2019-02-21
    modified 2018-07-18
    plugin id 67826
    published 2013-07-12
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=67826
    title Oracle Linux 4 : evolution / evolution-data-server (ELSA-2009-0355)
  • NASL family Oracle Linux Local Security Checks
    NASL id ORACLELINUX_ELSA-2009-0358.NASL
    description From Red Hat Security Advisory 2009:0358 : Updated evolution packages that fixes multiple security issues are now available for Red Hat Enterprise Linux 3. This update has been rated as having moderate security impact by the Red Hat Security Response Team. Evolution is the integrated collection of e-mail, calendaring, contact management, communications, and personal information management (PIM) tools for the GNOME desktop environment. It was discovered that evolution did not properly validate NTLM (NT LAN Manager) authentication challenge packets. A malicious server using NTLM authentication could cause evolution to disclose portions of its memory or crash during user authentication. (CVE-2009-0582) An integer overflow flaw which could cause heap-based buffer overflow was found in the Base64 encoding routine used by evolution. This could cause evolution to crash, or, possibly, execute an arbitrary code when large untrusted data blocks were Base64-encoded. (CVE-2009-0587) All users of evolution are advised to upgrade to these updated packages, which contain backported patches to correct these issues. All running instances of evolution must be restarted for the update to take effect.
    last seen 2019-02-21
    modified 2018-07-18
    plugin id 67827
    published 2013-07-12
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=67827
    title Oracle Linux 3 : evolution (ELSA-2009-0358)
  • NASL family CentOS Local Security Checks
    NASL id CENTOS_RHSA-2009-0355.NASL
    description Updated evolution and evolution-data-server packages that fixes multiple security issues are now available for Red Hat Enterprise Linux 4. This update has been rated as having moderate security impact by the Red Hat Security Response Team. Evolution is the integrated collection of e-mail, calendaring, contact management, communications, and personal information management (PIM) tools for the GNOME desktop environment. Evolution Data Server provides a unified back-end for applications which interact with contacts, task and calendar information. Evolution Data Server was originally developed as a back-end for Evolution, but is now used by multiple other applications. Evolution did not properly check the Secure/Multipurpose Internet Mail Extensions (S/MIME) signatures used for public key encryption and signing of e-mail messages. An attacker could use this flaw to spoof a signature by modifying the text of the e-mail message displayed to the user. (CVE-2009-0547) It was discovered that evolution did not properly validate NTLM (NT LAN Manager) authentication challenge packets. A malicious server using NTLM authentication could cause evolution to disclose portions of its memory or crash during user authentication. (CVE-2009-0582) Multiple integer overflow flaws which could cause heap-based buffer overflows were found in the Base64 encoding routines used by evolution and evolution-data-server. This could cause evolution, or an application using evolution-data-server, to crash, or, possibly, execute an arbitrary code when large untrusted data blocks were Base64-encoded. (CVE-2009-0587) All users of evolution and evolution-data-server are advised to upgrade to these updated packages, which contain backported patches to correct these issues. All running instances of evolution and evolution-data-server must be restarted for the update to take effect.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 38894
    published 2009-05-26
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=38894
    title CentOS 4 : evolution / evolution-data-server (CESA-2009:0355)
  • NASL family Oracle Linux Local Security Checks
    NASL id ORACLELINUX_ELSA-2009-0354.NASL
    description From Red Hat Security Advisory 2009:0354 : Updated evolution-data-server and evolution28-evolution-data-server packages that fix multiple security issues are now available for Red Hat Enterprise Linux 4 and 5. This update has been rated as having moderate security impact by the Red Hat Security Response Team. Evolution Data Server provides a unified back-end for applications which interact with contacts, task, and calendar information. Evolution Data Server was originally developed as a back-end for Evolution, but is now used by multiple other applications. Evolution Data Server did not properly check the Secure/Multipurpose Internet Mail Extensions (S/MIME) signatures used for public key encryption and signing of e-mail messages. An attacker could use this flaw to spoof a signature by modifying the text of the e-mail message displayed to the user. (CVE-2009-0547) It was discovered that Evolution Data Server did not properly validate NTLM (NT LAN Manager) authentication challenge packets. A malicious server using NTLM authentication could cause an application using Evolution Data Server to disclose portions of its memory or crash during user authentication. (CVE-2009-0582) Multiple integer overflow flaws which could cause heap-based buffer overflows were found in the Base64 encoding routines used by Evolution Data Server. This could cause an application using Evolution Data Server to crash, or, possibly, execute an arbitrary code when large untrusted data blocks were Base64-encoded. (CVE-2009-0587) All users of evolution-data-server and evolution28-evolution-data-server are advised to upgrade to these updated packages, which contain backported patches to correct these issues. All running instances of Evolution Data Server and applications using it (such as Evolution) must be restarted for the update to take effect.
    last seen 2019-02-21
    modified 2018-07-18
    plugin id 67825
    published 2013-07-12
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=67825
    title Oracle Linux 4 / 5 : evolution-data-server (ELSA-2009-0354)
  • NASL family Scientific Linux Local Security Checks
    NASL id SL_20090316_EVOLUTION_ON_SL3_X.NASL
    description It was discovered that evolution did not properly validate NTLM (NT LAN Manager) authentication challenge packets. A malicious server using NTLM authentication could cause evolution to disclose portions of its memory or crash during user authentication. (CVE-2009-0582) An integer overflow flaw which could cause heap-based buffer overflow was found in the Base64 encoding routine used by evolution. This could cause evolution to crash, or, possibly, execute an arbitrary code when large untrusted data blocks were Base64-encoded. (CVE-2009-0587) All running instances of evolution must be restarted for the update to take effect.
    last seen 2019-02-21
    modified 2019-01-02
    plugin id 60546
    published 2012-08-01
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=60546
    title Scientific Linux Security Update : evolution on SL3.x i386/x86_64
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2009-0358.NASL
    description Updated evolution packages that fixes multiple security issues are now available for Red Hat Enterprise Linux 3. This update has been rated as having moderate security impact by the Red Hat Security Response Team. Evolution is the integrated collection of e-mail, calendaring, contact management, communications, and personal information management (PIM) tools for the GNOME desktop environment. It was discovered that evolution did not properly validate NTLM (NT LAN Manager) authentication challenge packets. A malicious server using NTLM authentication could cause evolution to disclose portions of its memory or crash during user authentication. (CVE-2009-0582) An integer overflow flaw which could cause heap-based buffer overflow was found in the Base64 encoding routine used by evolution. This could cause evolution to crash, or, possibly, execute an arbitrary code when large untrusted data blocks were Base64-encoded. (CVE-2009-0587) All users of evolution are advised to upgrade to these updated packages, which contain backported patches to correct these issues. All running instances of evolution must be restarted for the update to take effect.
    last seen 2019-02-21
    modified 2018-11-27
    plugin id 35947
    published 2009-03-17
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=35947
    title RHEL 3 : evolution (RHSA-2009:0358)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2009-0354.NASL
    description Updated evolution-data-server and evolution28-evolution-data-server packages that fix multiple security issues are now available for Red Hat Enterprise Linux 4 and 5. This update has been rated as having moderate security impact by the Red Hat Security Response Team. Evolution Data Server provides a unified back-end for applications which interact with contacts, task, and calendar information. Evolution Data Server was originally developed as a back-end for Evolution, but is now used by multiple other applications. Evolution Data Server did not properly check the Secure/Multipurpose Internet Mail Extensions (S/MIME) signatures used for public key encryption and signing of e-mail messages. An attacker could use this flaw to spoof a signature by modifying the text of the e-mail message displayed to the user. (CVE-2009-0547) It was discovered that Evolution Data Server did not properly validate NTLM (NT LAN Manager) authentication challenge packets. A malicious server using NTLM authentication could cause an application using Evolution Data Server to disclose portions of its memory or crash during user authentication. (CVE-2009-0582) Multiple integer overflow flaws which could cause heap-based buffer overflows were found in the Base64 encoding routines used by Evolution Data Server. This could cause an application using Evolution Data Server to crash, or, possibly, execute an arbitrary code when large untrusted data blocks were Base64-encoded. (CVE-2009-0587) All users of evolution-data-server and evolution28-evolution-data-server are advised to upgrade to these updated packages, which contain backported patches to correct these issues. All running instances of Evolution Data Server and applications using it (such as Evolution) must be restarted for the update to take effect.
    last seen 2019-02-21
    modified 2018-11-27
    plugin id 35945
    published 2009-03-17
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=35945
    title RHEL 4 / 5 : evolution-data-server (RHSA-2009:0354)
  • NASL family Scientific Linux Local Security Checks
    NASL id SL_20090316_EVOLUTION_AND_EVOLUTION_DATA_SERVER_ON_SL4_X.NASL
    description Evolution Data Server provides a unified back-end for applications which interact with contacts, task and calendar information. Evolution Data Server was originally developed as a back-end for Evolution, but is now used by multiple other applications. Evolution did not properly check the Secure/Multipurpose Internet Mail Extensions (S/MIME) signatures used for public key encryption and signing of e-mail messages. An attacker could use this flaw to spoof a signature by modifying the text of the e-mail message displayed to the user. (CVE-2009-0547) It was discovered that evolution did not properly validate NTLM (NT LAN Manager) authentication challenge packets. A malicious server using NTLM authentication could cause evolution to disclose portions of its memory or crash during user authentication. (CVE-2009-0582) Multiple integer overflow flaws which could cause heap-based buffer overflows were found in the Base64 encoding routines used by evolution and evolution-data-server. This could cause evolution, or an application using evolution-data-server, to crash, or, possibly, execute an arbitrary code when large untrusted data blocks were Base64-encoded. (CVE-2009-0587) All running instances of evolution and evolution-data-server must be restarted for the update to take effect.
    last seen 2019-02-21
    modified 2019-01-02
    plugin id 60544
    published 2012-08-01
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=60544
    title Scientific Linux Security Update : evolution and evolution-data-server on SL4.x i386/x86_64
oval via4
accepted 2013-04-29T04:13:42.259-04:00
class vulnerability
contributors
  • name Aharon Chernin
    organization SCAP.com, LLC
  • name Dragos Prisaca
    organization G2, Inc.
definition_extensions
  • comment The operating system installed on the system is Red Hat Enterprise Linux 3
    oval oval:org.mitre.oval:def:11782
  • comment CentOS Linux 3.x
    oval oval:org.mitre.oval:def:16651
  • comment The operating system installed on the system is Red Hat Enterprise Linux 4
    oval oval:org.mitre.oval:def:11831
  • comment CentOS Linux 4.x
    oval oval:org.mitre.oval:def:16636
  • comment Oracle Linux 4.x
    oval oval:org.mitre.oval:def:15990
  • comment The operating system installed on the system is Red Hat Enterprise Linux 5
    oval oval:org.mitre.oval:def:11414
  • comment The operating system installed on the system is CentOS Linux 5.x
    oval oval:org.mitre.oval:def:15802
  • comment Oracle Linux 5.x
    oval oval:org.mitre.oval:def:15459
description Multiple integer overflows in Evolution Data Server (aka evolution-data-server) before 2.24.5 allow context-dependent attackers to execute arbitrary code via a long string that is converted to a base64 representation in (1) addressbook/libebook/e-vcard.c in evc or (2) camel/camel-mime-utils.c in libcamel.
family unix
id oval:org.mitre.oval:def:11385
status accepted
submitted 2010-07-09T03:56:16-04:00
title Multiple integer overflows in Evolution Data Server (aka evolution-data-server) before 2.24.5 allow context-dependent attackers to execute arbitrary code via a long string that is converted to a base64 representation in (1) addressbook/libebook/e-vcard.c in evc or (2) camel/camel-mime-utils.c in libcamel.
version 25
redhat via4
advisories
  • bugzilla
    id 488226
    title CVE-2009-0587 evolution-data-server: integer overflow in base64 encoding functions
    oval
    OR
    • AND
      • comment Red Hat Enterprise Linux 4 is installed
        oval oval:com.redhat.rhba:tst:20070304001
      • OR
        • AND
          • comment evolution28-evolution-data-server is earlier than 0:1.8.0-37.el4_7.2
            oval oval:com.redhat.rhsa:tst:20090354002
          • comment evolution28-evolution-data-server is signed with Red Hat master key
            oval oval:com.redhat.rhsa:tst:20090354003
        • AND
          • comment evolution28-evolution-data-server-devel is earlier than 0:1.8.0-37.el4_7.2
            oval oval:com.redhat.rhsa:tst:20090354004
          • comment evolution28-evolution-data-server-devel is signed with Red Hat master key
            oval oval:com.redhat.rhsa:tst:20090354005
    • AND
      • comment Red Hat Enterprise Linux 5 is installed
        oval oval:com.redhat.rhba:tst:20070331001
      • OR
        • AND
          • comment evolution-data-server is earlier than 0:1.12.3-10.el5_3.3
            oval oval:com.redhat.rhsa:tst:20090354007
          • comment evolution-data-server is signed with Red Hat redhatrelease key
            oval oval:com.redhat.rhsa:tst:20070344003
        • AND
          • comment evolution-data-server-devel is earlier than 0:1.12.3-10.el5_3.3
            oval oval:com.redhat.rhsa:tst:20090354009
          • comment evolution-data-server-devel is signed with Red Hat redhatrelease key
            oval oval:com.redhat.rhsa:tst:20070344005
        • AND
          • comment evolution-data-server-doc is earlier than 0:1.12.3-10.el5_3.3
            oval oval:com.redhat.rhsa:tst:20090354011
          • comment evolution-data-server-doc is signed with Red Hat redhatrelease key
            oval oval:com.redhat.rhsa:tst:20090354012
    rhsa
    id RHSA-2009:0354
    released 2009-03-16
    severity Moderate
    title RHSA-2009:0354: evolution-data-server security update (Moderate)
  • bugzilla
    id 488226
    title CVE-2009-0587 evolution-data-server: integer overflow in base64 encoding functions
    oval
    AND
    • comment Red Hat Enterprise Linux 4 is installed
      oval oval:com.redhat.rhba:tst:20070304001
    • OR
      • AND
        • comment evolution is earlier than 0:2.0.2-41.el4_7.2
          oval oval:com.redhat.rhsa:tst:20090355002
        • comment evolution is signed with Red Hat master key
          oval oval:com.redhat.rhsa:tst:20070353003
      • AND
        • comment evolution-devel is earlier than 0:2.0.2-41.el4_7.2
          oval oval:com.redhat.rhsa:tst:20090355004
        • comment evolution-devel is signed with Red Hat master key
          oval oval:com.redhat.rhsa:tst:20070353005
      • AND
        • comment evolution-data-server is earlier than 0:1.0.2-14.el4_7.1
          oval oval:com.redhat.rhsa:tst:20090355006
        • comment evolution-data-server is signed with Red Hat master key
          oval oval:com.redhat.rhsa:tst:20090355007
      • AND
        • comment evolution-data-server-devel is earlier than 0:1.0.2-14.el4_7.1
          oval oval:com.redhat.rhsa:tst:20090355008
        • comment evolution-data-server-devel is signed with Red Hat master key
          oval oval:com.redhat.rhsa:tst:20090355009
    rhsa
    id RHSA-2009:0355
    released 2009-03-16
    severity Moderate
    title RHSA-2009:0355: evolution and evolution-data-server security update (Moderate)
  • bugzilla
    id 488226
    title CVE-2009-0587 evolution-data-server: integer overflow in base64 encoding functions
    oval
    AND
    • comment Red Hat Enterprise Linux 3 is installed
      oval oval:com.redhat.rhba:tst:20070026001
    • OR
      • AND
        • comment evolution is earlier than 0:1.4.5-25.el3
          oval oval:com.redhat.rhsa:tst:20090358002
        • comment evolution is signed with Red Hat master key
          oval oval:com.redhat.rhsa:tst:20070353003
      • AND
        • comment evolution-devel is earlier than 0:1.4.5-25.el3
          oval oval:com.redhat.rhsa:tst:20090358004
        • comment evolution-devel is signed with Red Hat master key
          oval oval:com.redhat.rhsa:tst:20070353005
    rhsa
    id RHSA-2009:0358
    released 2009-03-16
    severity Moderate
    title RHSA-2009:0358: evolution security update (Moderate)
rpms
  • evolution28-evolution-data-server-0:1.8.0-37.el4_7.2
  • evolution28-evolution-data-server-devel-0:1.8.0-37.el4_7.2
  • evolution-data-server-0:1.12.3-10.el5_3.3
  • evolution-data-server-devel-0:1.12.3-10.el5_3.3
  • evolution-data-server-doc-0:1.12.3-10.el5_3.3
  • evolution-0:2.0.2-41.el4_7.2
  • evolution-devel-0:2.0.2-41.el4_7.2
  • evolution-data-server-0:1.0.2-14.el4_7.1
  • evolution-data-server-devel-0:1.0.2-14.el4_7.1
  • evolution-0:1.4.5-25.el3
  • evolution-devel-0:1.4.5-25.el3
refmap via4
bid 34100
bugtraq 20090312 [oCERT-2008-015] glib and glib-predecessor heap overflows
debian DSA-1813
mandriva MDVSA-2009:078
misc
mlist [oss-security] 20090312 [oCERT-2008-015] glib and glib-predecessor heap overflows
osvdb
  • 52702
  • 52703
secunia
  • 34338
  • 34339
  • 34348
  • 34351
  • 35357
suse SUSE-SR:2010:012
ubuntu USN-733-1
Last major update 21-08-2010 - 01:30
Published 14-03-2009 - 14:30
Last modified 10-10-2018 - 15:29
Back to Top