Security Advisory Critical: evolution security update

Advisory: RHSA-2008:0516-8
Type: Security Advisory
Severity: Critical
Issued on: 2008-06-04
Last updated on: 2008-06-04
Affected Products: Red Hat Desktop (v. 3)
Red Hat Desktop (v. 4)
Red Hat Enterprise Linux AS (v. 3)
Red Hat Enterprise Linux AS (v. 4)
Red Hat Enterprise Linux ES (v. 3)
Red Hat Enterprise Linux ES (v. 4)
Red Hat Enterprise Linux WS (v. 3)
Red Hat Enterprise Linux WS (v. 4)
OVAL: com.redhat.rhsa-20080516.xml
CVEs (cve.mitre.org): CVE-2008-1108

Details

Updated evolution packages that address a buffer overflow vulnerability are
now available for Red Hat Enterprise Linux 3 and Red Hat Enterprise Linux 4.

This update has been rated as having critical security impact by the Red
Hat Security Response Team.

Evolution is the integrated collection of e-mail, calendaring, contact
management, communications and personal information management (PIM) tools
for the GNOME desktop environment.

A flaw was found in the way Evolution parsed iCalendar timezone attachment
data. If mail which included a carefully crafted iCalendar attachment was
opened, arbitrary code could be executed as the user running Evolution.
(CVE-2008-1108)

Red Hat would like to thank Alin Rad Pop of Secunia Research for
responsibly disclosing this issue.

All users of Evolution should upgrade to these updated packages, which
contains a backported patch which resolves this issue.


Solution

Before applying this update, make sure that all previously-released
errata relevant to your system have been applied.

This update is available via Red Hat Network. Details on how to use
the Red Hat Network to apply this update are available at
http://kbase.redhat.com/faq/FAQ_58_10188

Updated packages

Red Hat Desktop (v. 3)
SRPMS:
evolution-1.4.5-22.el3.src.rpm     6c6e3e7decd4c77b75894f488aaec390
 
IA-32:
evolution-1.4.5-22.el3.i386.rpm     371763de5378a3cc0b65f45c0fa035d1
evolution-devel-1.4.5-22.el3.i386.rpm     102c497762963cf9a2862fbc25cafda2
 
x86_64:
evolution-1.4.5-22.el3.x86_64.rpm     18db5f62b9d485d2456b7a726cc70604
evolution-devel-1.4.5-22.el3.x86_64.rpm     5783993f64f430c7dbf1d0018fd072f7
 
Red Hat Desktop (v. 4)
SRPMS:
evolution-2.0.2-35.0.4.el4_6.2.src.rpm
File outdated by:  RHEA-2008:0766		     4f7f8dd93bd1684eb8d51b223a98de31
 
IA-32:
evolution-2.0.2-35.0.4.el4_6.2.i386.rpm
File outdated by:  RHEA-2008:0766		     899b2e539f6e4ecd040f154e4106009d
evolution-devel-2.0.2-35.0.4.el4_6.2.i386.rpm
File outdated by:  RHEA-2008:0766		     8edc13bb8f5768b06c1c6db5fabad358
 
x86_64:
evolution-2.0.2-35.0.4.el4_6.2.x86_64.rpm
File outdated by:  RHEA-2008:0766		     7c28e495c38fd069a3a02c36bc7b65ae
evolution-devel-2.0.2-35.0.4.el4_6.2.x86_64.rpm
File outdated by:  RHEA-2008:0766		     634a13c21616b3935fc1210aa7c78e36
 
Red Hat Enterprise Linux AS (v. 3)
SRPMS:
evolution-1.4.5-22.el3.src.rpm     6c6e3e7decd4c77b75894f488aaec390
 
IA-32:
evolution-1.4.5-22.el3.i386.rpm     371763de5378a3cc0b65f45c0fa035d1
evolution-devel-1.4.5-22.el3.i386.rpm     102c497762963cf9a2862fbc25cafda2
 
IA-64:
evolution-1.4.5-22.el3.ia64.rpm     e31bd715dd2ab2bf1d48ef7f1f3a1eed
evolution-devel-1.4.5-22.el3.ia64.rpm     3cf9fbd5eb3f5c90655132dced5f3294
 
PPC:
evolution-1.4.5-22.el3.ppc.rpm     c76ae453585724fef81dc728398b120e
evolution-devel-1.4.5-22.el3.ppc.rpm     0699a1700b26cf76bfd5a563566603a9
 
s390:
evolution-1.4.5-22.el3.s390.rpm     121ebe551517774d2aa64e77213595ae
evolution-devel-1.4.5-22.el3.s390.rpm     f201da1e787fd11d71f67e306406f64e
 
s390x:
evolution-1.4.5-22.el3.s390x.rpm     8a609d74ce87e57b6805483df7a485d7
evolution-devel-1.4.5-22.el3.s390x.rpm     8ed8f5864e73b6e2ed869c2277e551d2
 
x86_64:
evolution-1.4.5-22.el3.x86_64.rpm     18db5f62b9d485d2456b7a726cc70604
evolution-devel-1.4.5-22.el3.x86_64.rpm     5783993f64f430c7dbf1d0018fd072f7
 
Red Hat Enterprise Linux AS (v. 4)
SRPMS:
evolution-2.0.2-35.0.4.el4_6.2.src.rpm
File outdated by:  RHEA-2008:0766		     4f7f8dd93bd1684eb8d51b223a98de31
 
IA-32:
evolution-2.0.2-35.0.4.el4_6.2.i386.rpm
File outdated by:  RHEA-2008:0766		     899b2e539f6e4ecd040f154e4106009d
evolution-devel-2.0.2-35.0.4.el4_6.2.i386.rpm
File outdated by:  RHEA-2008:0766		     8edc13bb8f5768b06c1c6db5fabad358
 
IA-64:
evolution-2.0.2-35.0.4.el4_6.2.ia64.rpm
File outdated by:  RHEA-2008:0766		     a88009755857f67a2bb94517794eb3a5
evolution-devel-2.0.2-35.0.4.el4_6.2.ia64.rpm
File outdated by:  RHEA-2008:0766		     1e298aadab7c399621223c2a6c2967b2
 
PPC:
evolution-2.0.2-35.0.4.el4_6.2.ppc.rpm
File outdated by:  RHEA-2008:0766		     c28d940eef02e6d39603f0de856b52ab
evolution-devel-2.0.2-35.0.4.el4_6.2.ppc.rpm
File outdated by:  RHEA-2008:0766		     2b2d9ce0e7f932ca9736f1095a22e121
 
s390:
evolution-2.0.2-35.0.4.el4_6.2.s390.rpm
File outdated by:  RHEA-2008:0766		     96a9a158feca0a5eaf970acaa327e067
evolution-devel-2.0.2-35.0.4.el4_6.2.s390.rpm
File outdated by:  RHEA-2008:0766		     b834c70d79ee75332a5754e3a5195dee
 
s390x:
evolution-2.0.2-35.0.4.el4_6.2.s390x.rpm
File outdated by:  RHEA-2008:0766		     805f22f36d20246737ff26e82dd2858e
evolution-devel-2.0.2-35.0.4.el4_6.2.s390x.rpm
File outdated by:  RHEA-2008:0766		     506561aa250a75a1cc3c6edfbfcbd52d
 
x86_64:
evolution-2.0.2-35.0.4.el4_6.2.x86_64.rpm
File outdated by:  RHEA-2008:0766		     7c28e495c38fd069a3a02c36bc7b65ae
evolution-devel-2.0.2-35.0.4.el4_6.2.x86_64.rpm
File outdated by:  RHEA-2008:0766		     634a13c21616b3935fc1210aa7c78e36
 
Red Hat Enterprise Linux ES (v. 3)
SRPMS:
evolution-1.4.5-22.el3.src.rpm     6c6e3e7decd4c77b75894f488aaec390
 
IA-32:
evolution-1.4.5-22.el3.i386.rpm     371763de5378a3cc0b65f45c0fa035d1
evolution-devel-1.4.5-22.el3.i386.rpm     102c497762963cf9a2862fbc25cafda2
 
IA-64:
evolution-1.4.5-22.el3.ia64.rpm     e31bd715dd2ab2bf1d48ef7f1f3a1eed
evolution-devel-1.4.5-22.el3.ia64.rpm     3cf9fbd5eb3f5c90655132dced5f3294
 
x86_64:
evolution-1.4.5-22.el3.x86_64.rpm     18db5f62b9d485d2456b7a726cc70604
evolution-devel-1.4.5-22.el3.x86_64.rpm     5783993f64f430c7dbf1d0018fd072f7
 
Red Hat Enterprise Linux ES (v. 4)
SRPMS:
evolution-2.0.2-35.0.4.el4_6.2.src.rpm
File outdated by:  RHEA-2008:0766		     4f7f8dd93bd1684eb8d51b223a98de31
 
IA-32:
evolution-2.0.2-35.0.4.el4_6.2.i386.rpm
File outdated by:  RHEA-2008:0766		     899b2e539f6e4ecd040f154e4106009d
evolution-devel-2.0.2-35.0.4.el4_6.2.i386.rpm
File outdated by:  RHEA-2008:0766		     8edc13bb8f5768b06c1c6db5fabad358
 
IA-64:
evolution-2.0.2-35.0.4.el4_6.2.ia64.rpm
File outdated by:  RHEA-2008:0766		     a88009755857f67a2bb94517794eb3a5
evolution-devel-2.0.2-35.0.4.el4_6.2.ia64.rpm
File outdated by:  RHEA-2008:0766		     1e298aadab7c399621223c2a6c2967b2
 
x86_64:
evolution-2.0.2-35.0.4.el4_6.2.x86_64.rpm
File outdated by:  RHEA-2008:0766		     7c28e495c38fd069a3a02c36bc7b65ae
evolution-devel-2.0.2-35.0.4.el4_6.2.x86_64.rpm
File outdated by:  RHEA-2008:0766		     634a13c21616b3935fc1210aa7c78e36
 
Red Hat Enterprise Linux WS (v. 3)
SRPMS:
evolution-1.4.5-22.el3.src.rpm     6c6e3e7decd4c77b75894f488aaec390
 
IA-32:
evolution-1.4.5-22.el3.i386.rpm     371763de5378a3cc0b65f45c0fa035d1
evolution-devel-1.4.5-22.el3.i386.rpm     102c497762963cf9a2862fbc25cafda2
 
IA-64:
evolution-1.4.5-22.el3.ia64.rpm     e31bd715dd2ab2bf1d48ef7f1f3a1eed
evolution-devel-1.4.5-22.el3.ia64.rpm     3cf9fbd5eb3f5c90655132dced5f3294
 
x86_64:
evolution-1.4.5-22.el3.x86_64.rpm     18db5f62b9d485d2456b7a726cc70604
evolution-devel-1.4.5-22.el3.x86_64.rpm     5783993f64f430c7dbf1d0018fd072f7
 
Red Hat Enterprise Linux WS (v. 4)
SRPMS:
evolution-2.0.2-35.0.4.el4_6.2.src.rpm
File outdated by:  RHEA-2008:0766		     4f7f8dd93bd1684eb8d51b223a98de31
 
IA-32:
evolution-2.0.2-35.0.4.el4_6.2.i386.rpm
File outdated by:  RHEA-2008:0766		     899b2e539f6e4ecd040f154e4106009d
evolution-devel-2.0.2-35.0.4.el4_6.2.i386.rpm
File outdated by:  RHEA-2008:0766		     8edc13bb8f5768b06c1c6db5fabad358
 
IA-64:
evolution-2.0.2-35.0.4.el4_6.2.ia64.rpm
File outdated by:  RHEA-2008:0766		     a88009755857f67a2bb94517794eb3a5
evolution-devel-2.0.2-35.0.4.el4_6.2.ia64.rpm
File outdated by:  RHEA-2008:0766		     1e298aadab7c399621223c2a6c2967b2
 
x86_64:
evolution-2.0.2-35.0.4.el4_6.2.x86_64.rpm
File outdated by:  RHEA-2008:0766		     7c28e495c38fd069a3a02c36bc7b65ae
evolution-devel-2.0.2-35.0.4.el4_6.2.x86_64.rpm
File outdated by:  RHEA-2008:0766		     634a13c21616b3935fc1210aa7c78e36
 
(The unlinked packages above are only available from the Red Hat Network)

Bugs fixed (see bugzilla for more information)

448540 - CVE-2008-1108 evolution: iCalendar buffer overflow via large timezone specification


References

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1108
http://www.redhat.com/security/updates/classification/#critical

These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:
https://www.redhat.com/security/team/key/#package

The Red Hat security contact is secalert@redhat.com. More contact details at http://www.redhat.com/security/team/contact/