Evolution has critical flaw
Security service provider Secunia has reported a critical flaw in the Evolution e-mail and groupware program. Attackers can use crafted e-mails to exploit a programming flaw that allows them to execute their own code with the rights of the logged-on user when an e-mail is opened.
Secunia's Ulf Harnhammar discovered the way to code to inject and execute code. When version data from an encrypted email are displayed by the
emf_multipart_encrypted() function, a format string error can occur.
Secunia recommends users not to open untrusted e-mails. To be on the safe side, Evolution should be completely avoided for the time being. In its security advisory, Secunia says that various Linux distributors will soon be providing patches.
- Evolution Encrypted Message Format String Vulnerability, Secunia's security advisory