In association with heise online

05 June 2008, 11:18

Two critical bugs in Evolution

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

Evolution, the Gnome desktop's standard email client and personal information manager contains two security vulnerabilities which can apparently be exploited to inject and execute code on a system. According to Secunia there is a time zone string parsing bug in the processing of iCalendar appointment attachments that could lead to a buffer overflow. However, for this to happen the ITip Formatter plugin must be deactivated. In addition, a heap overflow can occur when replying to iCalendar requests if the DESCRIPTION field of an attachment is too long. However, this attack is apparently only possible while the victim is in calendar view.

The bugs were found in version 2.22.1, but previous versions are probably also vulnerable. No update has yet been posted on the official web site, but some Linux distributors have already released updated packages. Alternatively, Secunia recommends users not to open emails from untrusted sources. Security-conscious users are advised not to use Evolution until further notice.

See also:


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit