Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

[SECURITY] [DSA 1325-1] New evolution packages fix arbitrary code execution
From: Moritz Muehlenhoff <jmm () debian org>
Date: Fri, 29 Jun 2007 17:06:48 +0200

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- --------------------------------------------------------------------------
Debian Security Advisory DSA 1325-1                    security () debian org
http://www.debian.org/security/                         Moritz Muehlenhoff
June 29th, 2007                         http://www.debian.org/security/faq
- --------------------------------------------------------------------------

Package        : evolution
Vulnerability  : several
Problem-Type   : remote
Debian-specific: no
CVE ID         : CVE-2007-1002 CVE-2007-3257

Several remote vulnerabilities have been discovered in Evolution, a
groupware suite with mail client and organizer. The Common Vulnerabilities
and Exposures project identifies the following problems:

CVE-2007-1002

    Ulf Harnhammer discovered that a format string vulnerability in
    the handling of shared calendars may allow the execution of arbitrary
    code.

CVE-2007-3257

    It was discovered that the IMAP code in the Evolution Data Server
    performs insufficient sanitising of a value later used an array index,
    which can lead to the execution of arbitrary code.

For the oldstable distribution (sarge) these problems have been fixed in
version 2.0.4-2sarge2. Packages for hppa, mips and powerpc are not yet
available. They will be provided later.

For the stable distribution (etch) these problems have been fixed
in version 2.6.3-6etch1. Packages for mips are not yet available. They
will be provided later.

For the unstable distribution (sid) these problems will be fixed soon.

We recommend that you upgrade your evolution packages.


Upgrade Instructions
- --------------------

wget url
        will fetch the file for you
dpkg -i file.deb
        will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
        will update the internal database
apt-get upgrade
        will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian GNU/Linux 4.0 alias etch
- -------------------------------

  Source archives:

    http://security.debian.org/pool/updates/main/e/evolution/evolution_2.6.3-6etch1.dsc
      Size/MD5 checksum:     1977 578b24366558cbb610a52fde5df44b3b
    http://security.debian.org/pool/updates/main/e/evolution/evolution_2.6.3-6etch1.diff.gz
      Size/MD5 checksum:    54055 12965737c082f0532cf2d27cd7627a47
    http://security.debian.org/pool/updates/main/e/evolution/evolution_2.6.3.orig.tar.gz
      Size/MD5 checksum: 17176288 7af880364d53b18ba72b1f85f3813c81

  Architecture independent components:

    http://security.debian.org/pool/updates/main/e/evolution/evolution-common_2.6.3-6etch1_all.deb
      Size/MD5 checksum: 10103432 5b0a1644494c4200d85c8ec4dcf578bd

  Alpha architecture:

    http://security.debian.org/pool/updates/main/e/evolution/evolution_2.6.3-6etch1_alpha.deb
      Size/MD5 checksum:  2740178 58094673290b0d2f0f02724409f8de73
    http://security.debian.org/pool/updates/main/e/evolution/evolution-dbg_2.6.3-6etch1_alpha.deb
      Size/MD5 checksum:  6443430 c9a5ad93c1d5ef443c012997c32f7c92
    http://security.debian.org/pool/updates/main/e/evolution/evolution-dev_2.6.3-6etch1_alpha.deb
      Size/MD5 checksum:   218784 1d29838627ce81b8ed50959553a2e8bf
    http://security.debian.org/pool/updates/main/e/evolution/evolution-plugins_2.6.3-6etch1_alpha.deb
      Size/MD5 checksum:   119354 df6e947cef9e051d7e20a1dcebd82415
    http://security.debian.org/pool/updates/main/e/evolution/evolution-plugins-experimental_2.6.3-6etch1_alpha.deb
      Size/MD5 checksum:    94514 6fa19364ce5e782a4dfed7e18ecc3e37

  AMD64 architecture:

    http://security.debian.org/pool/updates/main/e/evolution/evolution_2.6.3-6etch1_amd64.deb
      Size/MD5 checksum:  2564562 c8421df9d8ca72b77334540c46b5198f
    http://security.debian.org/pool/updates/main/e/evolution/evolution-dbg_2.6.3-6etch1_amd64.deb
      Size/MD5 checksum:  6504728 525c0348998ec55980c3fd3384a0b6f0
    http://security.debian.org/pool/updates/main/e/evolution/evolution-dev_2.6.3-6etch1_amd64.deb
      Size/MD5 checksum:   213638 9bac9cf35da6ffe9cb19abb20ba63aed
    http://security.debian.org/pool/updates/main/e/evolution/evolution-plugins_2.6.3-6etch1_amd64.deb
      Size/MD5 checksum:   117566 8415d9121b8c63e25b3cdf8109b43f81
    http://security.debian.org/pool/updates/main/e/evolution/evolution-plugins-experimental_2.6.3-6etch1_amd64.deb
      Size/MD5 checksum:    94500 5fa8d2938b94f43216dc2170291da97d

  ARM architecture:

    http://security.debian.org/pool/updates/main/e/evolution/evolution_2.6.3-6etch1_arm.deb
      Size/MD5 checksum:  2250610 44497cf9d0a45358384187ac7efab563
    http://security.debian.org/pool/updates/main/e/evolution/evolution-dbg_2.6.3-6etch1_arm.deb
      Size/MD5 checksum:  6188510 37315f3a07a716a6e5023aa6607fdf7c
    http://security.debian.org/pool/updates/main/e/evolution/evolution-dev_2.6.3-6etch1_arm.deb
      Size/MD5 checksum:   213906 d5ad98f0c51b42a0d59edfe162c6e946
    http://security.debian.org/pool/updates/main/e/evolution/evolution-plugins_2.6.3-6etch1_arm.deb
      Size/MD5 checksum:   110274 e538017a89ae1122088990fc3d887cd5
    http://security.debian.org/pool/updates/main/e/evolution/evolution-plugins-experimental_2.6.3-6etch1_arm.deb
      Size/MD5 checksum:    91444 f179118a62ff229743e6847a7ce1b56d

  HP Precision architecture:

    http://security.debian.org/pool/updates/main/e/evolution/evolution_2.6.3-6etch1_hppa.deb
      Size/MD5 checksum:  2857208 b647321570b2388244ca7aee5807e16b
    http://security.debian.org/pool/updates/main/e/evolution/evolution-dbg_2.6.3-6etch1_hppa.deb
      Size/MD5 checksum:  6436170 d324495c0bdd05d1c6f4929b84c2ea36
    http://security.debian.org/pool/updates/main/e/evolution/evolution-dev_2.6.3-6etch1_hppa.deb
      Size/MD5 checksum:   213704 1af2551c6e854634dd5ce597e60e9487
    http://security.debian.org/pool/updates/main/e/evolution/evolution-plugins_2.6.3-6etch1_hppa.deb
      Size/MD5 checksum:   120416 4a1d0998c2f924b3de5017fdb4a8c5d8
    http://security.debian.org/pool/updates/main/e/evolution/evolution-plugins-experimental_2.6.3-6etch1_hppa.deb
      Size/MD5 checksum:    95478 93bed95e8bd6dad12d3465c8ed6be0db

  Intel IA-32 architecture:

    http://security.debian.org/pool/updates/main/e/evolution/evolution_2.6.3-6etch1_i386.deb
      Size/MD5 checksum:  2403898 e0fe291efb927324afc9fec7a2dc53f6
    http://security.debian.org/pool/updates/main/e/evolution/evolution-dbg_2.6.3-6etch1_i386.deb
      Size/MD5 checksum:  6137476 0c5d0d9151dfb363cb9291181eb4a82b
    http://security.debian.org/pool/updates/main/e/evolution/evolution-dev_2.6.3-6etch1_i386.deb
      Size/MD5 checksum:   213648 94560dc3d0349489e04571f1ddb5a099
    http://security.debian.org/pool/updates/main/e/evolution/evolution-plugins_2.6.3-6etch1_i386.deb
      Size/MD5 checksum:   113164 747f1de321552792da380c4048037216
    http://security.debian.org/pool/updates/main/e/evolution/evolution-plugins-experimental_2.6.3-6etch1_i386.deb
      Size/MD5 checksum:    92396 cad5b0c3acfcd59001fc76587869ee10

  Intel IA-64 architecture:

    http://security.debian.org/pool/updates/main/e/evolution/evolution_2.6.3-6etch1_ia64.deb
      Size/MD5 checksum:  3419724 cdf39b6755216b8a72a8810d77166516
    http://security.debian.org/pool/updates/main/e/evolution/evolution-dbg_2.6.3-6etch1_ia64.deb
      Size/MD5 checksum:  6137680 c713dafa4535471d1304298c900631e9
    http://security.debian.org/pool/updates/main/e/evolution/evolution-dev_2.6.3-6etch1_ia64.deb
      Size/MD5 checksum:   213634 9b819bc46ce79faef462a7eb71773050
    http://security.debian.org/pool/updates/main/e/evolution/evolution-plugins_2.6.3-6etch1_ia64.deb
      Size/MD5 checksum:   129692 d4e1d68c1190f50adb9da1472754ff32
    http://security.debian.org/pool/updates/main/e/evolution/evolution-plugins-experimental_2.6.3-6etch1_ia64.deb
      Size/MD5 checksum:    99584 9bae1417cb9656164310660ad4860f08

  Little endian MIPS architecture:

    http://security.debian.org/pool/updates/main/e/evolution/evolution_2.6.3-6etch1_mipsel.deb
      Size/MD5 checksum:  2334086 f2dae7d431375bc0570206ba968a72d2
    http://security.debian.org/pool/updates/main/e/evolution/evolution-dbg_2.6.3-6etch1_mipsel.deb
      Size/MD5 checksum:  6484682 592f1e0ee53eb7e54e2be832076fd06a
    http://security.debian.org/pool/updates/main/e/evolution/evolution-dev_2.6.3-6etch1_mipsel.deb
      Size/MD5 checksum:   213670 d7272b29aef4160640556d60abf03def
    http://security.debian.org/pool/updates/main/e/evolution/evolution-plugins_2.6.3-6etch1_mipsel.deb
      Size/MD5 checksum:   112214 a0cd549d60096deb37759c28e08872d5
    http://security.debian.org/pool/updates/main/e/evolution/evolution-plugins-experimental_2.6.3-6etch1_mipsel.deb
      Size/MD5 checksum:    92442 fe82fee493dfd6f6f41b1cc152c8534e

  PowerPC architecture:

    http://security.debian.org/pool/updates/main/e/evolution/evolution_2.6.3-6etch1_powerpc.deb
      Size/MD5 checksum:  2465894 39e6a477a30c49e42e496fc4c0b09c90
    http://security.debian.org/pool/updates/main/e/evolution/evolution-dbg_2.6.3-6etch1_powerpc.deb
      Size/MD5 checksum:  6513656 0666ce31cad6c1e28fe9e3d89aec8bf1
    http://security.debian.org/pool/updates/main/e/evolution/evolution-dev_2.6.3-6etch1_powerpc.deb
      Size/MD5 checksum:   213664 f2d904adba62e249336ec494f76a1fa5
    http://security.debian.org/pool/updates/main/e/evolution/evolution-plugins_2.6.3-6etch1_powerpc.deb
      Size/MD5 checksum:   124958 d17c947715c7f22ec36ed8eb2c42bfe6
    http://security.debian.org/pool/updates/main/e/evolution/evolution-plugins-experimental_2.6.3-6etch1_powerpc.deb
      Size/MD5 checksum:    99208 e36c5636970a8bf62791f1bfcdd52cb5

  IBM S/390 architecture:

    http://security.debian.org/pool/updates/main/e/evolution/evolution_2.6.3-6etch1_s390.deb
      Size/MD5 checksum:  2690750 5fdde7518305b8e1b5ea620b672a676f
    http://security.debian.org/pool/updates/main/e/evolution/evolution-dbg_2.6.3-6etch1_s390.deb
      Size/MD5 checksum:  6397252 e6b747d66ff2f2509f2e9917e9c17a97
    http://security.debian.org/pool/updates/main/e/evolution/evolution-dev_2.6.3-6etch1_s390.deb
      Size/MD5 checksum:   213624 45a273c5d4ada0b910f0dc727bea5960
    http://security.debian.org/pool/updates/main/e/evolution/evolution-plugins_2.6.3-6etch1_s390.deb
      Size/MD5 checksum:   118260 cc9f6b42fa9e89d8b762292e5087a2bf
    http://security.debian.org/pool/updates/main/e/evolution/evolution-plugins-experimental_2.6.3-6etch1_s390.deb
      Size/MD5 checksum:    94170 b7c20d6bea74454b0fb344fab1f0c1a6

  Sun Sparc architecture:

    http://security.debian.org/pool/updates/main/e/evolution/evolution_2.6.3-6etch1_sparc.deb
      Size/MD5 checksum:  2375188 9688ef4d3c948c77c8f9ec243fa13ffe
    http://security.debian.org/pool/updates/main/e/evolution/evolution-dbg_2.6.3-6etch1_sparc.deb
      Size/MD5 checksum:  6022044 1648818f346aa0e18ad7b9a6f47c4e51
    http://security.debian.org/pool/updates/main/e/evolution/evolution-dev_2.6.3-6etch1_sparc.deb
      Size/MD5 checksum:   213672 d666053b367b337d1393d8cd99acb2d2
    http://security.debian.org/pool/updates/main/e/evolution/evolution-plugins_2.6.3-6etch1_sparc.deb
      Size/MD5 checksum:   111144 2ab6e4a9e36b01b00356a0c0d8306e5b
    http://security.debian.org/pool/updates/main/e/evolution/evolution-plugins-experimental_2.6.3-6etch1_sparc.deb
      Size/MD5 checksum:    91356 d13430ac396cd25d464de07f0e809b92

Debian GNU/Linux 3.1 alias sarge
- --------------------------------

  Source archives:

    http://security.debian.org/pool/updates/main/e/evolution/evolution_2.0.4-2sarge2.dsc
      Size/MD5 checksum:     1167 099060ef401e9bd005ecce322b2b1905
    http://security.debian.org/pool/updates/main/e/evolution/evolution_2.0.4-2sarge2.diff.gz
      Size/MD5 checksum:   293848 a0eecfdbfba9f098d200c6add4a27707
    http://security.debian.org/pool/updates/main/e/evolution/evolution_2.0.4.orig.tar.gz
      Size/MD5 checksum: 20968383 d555a0b1d56f0f0b9c33c35b057f73e6

  Alpha architecture:

    http://security.debian.org/pool/updates/main/e/evolution/evolution_2.0.4-2sarge2_alpha.deb
      Size/MD5 checksum: 10648460 2cc1271a6bf74c07dda2e20b95215673
    http://security.debian.org/pool/updates/main/e/evolution/evolution-dev_2.0.4-2sarge2_alpha.deb
      Size/MD5 checksum:   163046 a6377c8f6cbc0ba6a18df3ab9f2573ea

  AMD64 architecture:

    http://security.debian.org/pool/updates/main/e/evolution/evolution_2.0.4-2sarge2_amd64.deb
      Size/MD5 checksum: 10447646 b4f3f8a0e9a6cb98858d7af4bde78c19
    http://security.debian.org/pool/updates/main/e/evolution/evolution-dev_2.0.4-2sarge2_amd64.deb
      Size/MD5 checksum:   160332 7abdb02216902914d11f29f1f1f59024

  ARM architecture:

    http://security.debian.org/pool/updates/main/e/evolution/evolution_2.0.4-2sarge2_arm.deb
      Size/MD5 checksum: 10251532 8e442313f5bed9aeebc63665bc41fb46
    http://security.debian.org/pool/updates/main/e/evolution/evolution-dev_2.0.4-2sarge2_arm.deb
      Size/MD5 checksum:   160552 7f3e4a5e9b7c245aa9412cfe04434921

  Intel IA-32 architecture:

    http://security.debian.org/pool/updates/main/e/evolution/evolution_2.0.4-2sarge2_i386.deb
      Size/MD5 checksum: 10232410 a4afa05be3fd2916e18e8633e1a409c7
    http://security.debian.org/pool/updates/main/e/evolution/evolution-dev_2.0.4-2sarge2_i386.deb
      Size/MD5 checksum:   160362 2abbd56ddb2e6fbea4db658bbec5f7f0

  Intel IA-64 architecture:

    http://security.debian.org/pool/updates/main/e/evolution/evolution_2.0.4-2sarge2_ia64.deb
      Size/MD5 checksum: 11419386 6116133ec485569c945402d7a07870d2
    http://security.debian.org/pool/updates/main/e/evolution/evolution-dev_2.0.4-2sarge2_ia64.deb
      Size/MD5 checksum:   160326 2dc98f5a820e1cce1b639abd74d78ba7

  Motorola 680x0 architecture:

    http://security.debian.org/pool/updates/main/e/evolution/evolution_2.0.4-2sarge2_m68k.deb
      Size/MD5 checksum: 10387558 62b1d6f774f927862b6a8c1e83aa90a4
    http://security.debian.org/pool/updates/main/e/evolution/evolution-dev_2.0.4-2sarge2_m68k.deb
      Size/MD5 checksum:   160774 c32e6f33fee20a264f75b904d7f5486e

  Little endian MIPS architecture:

    http://security.debian.org/pool/updates/main/e/evolution/evolution_2.0.4-2sarge2_mipsel.deb
      Size/MD5 checksum: 10195334 5cc12dae2c5554048e578f506da61edb
    http://security.debian.org/pool/updates/main/e/evolution/evolution-dev_2.0.4-2sarge2_mipsel.deb
      Size/MD5 checksum:   160396 0e3d20548f09988d54e169a8aef9195b

  IBM S/390 architecture:

    http://security.debian.org/pool/updates/main/e/evolution/evolution_2.0.4-2sarge2_s390.deb
      Size/MD5 checksum: 10639100 e703df57d83a286068ccdbc0979cd9aa
    http://security.debian.org/pool/updates/main/e/evolution/evolution-dev_2.0.4-2sarge2_s390.deb
      Size/MD5 checksum:   160326 b5b24541c481378eade7e085e1cbf403

  Sun Sparc architecture:

    http://security.debian.org/pool/updates/main/e/evolution/evolution_2.0.4-2sarge2_sparc.deb
      Size/MD5 checksum: 10349344 0cf504d0a4acd1a0078fd155f82a6f81
    http://security.debian.org/pool/updates/main/e/evolution/evolution-dev_2.0.4-2sarge2_sparc.deb
      Size/MD5 checksum:   160390 1907f5d66dda48a061b664726c5a8bee


  These files will probably be moved into the stable distribution on
  its next update.

- ---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce () lists debian org
Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFGhR/YXm3vHE4uyloRAgbhAKDVto5or6DumtYkju44ysJyI3sGKQCfeIcH
bm6bjui7EBh5LheBcdJjSPc=
=Gidi
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


  By Date           By Thread  

Current thread:
  • [SECURITY] [DSA 1325-1] New evolution packages fix arbitrary code execution Moritz Muehlenhoff (Jun 29)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]