Security Advisory Moderate: evolution and evolution-data-server security update

Advisory: RHSA-2009:0355-9
Type: Security Advisory
Severity: Moderate
Issued on: 2009-03-16
Last updated on: 2009-03-16
Affected Products: Red Hat Desktop (v. 4)
Red Hat Enterprise Linux AS (v. 4)
Red Hat Enterprise Linux AS (v. 4.7.z)
Red Hat Enterprise Linux ES (v. 4)
Red Hat Enterprise Linux ES (v. 4.7.z)
Red Hat Enterprise Linux WS (v. 4)
OVAL: com.redhat.rhsa-20090355.xml
CVEs (cve.mitre.org): CVE-2009-0547
CVE-2009-0582
CVE-2009-0587

Details

Updated evolution and evolution-data-server packages that fixes multiple
security issues are now available for Red Hat Enterprise Linux 4.

This update has been rated as having moderate security impact by the Red
Hat Security Response Team.

Evolution is the integrated collection of e-mail, calendaring, contact
management, communications, and personal information management (PIM) tools
for the GNOME desktop environment.

Evolution Data Server provides a unified back-end for applications which
interact with contacts, task and calendar information. Evolution Data
Server was originally developed as a back-end for Evolution, but is now
used by multiple other applications.

Evolution did not properly check the Secure/Multipurpose Internet Mail
Extensions (S/MIME) signatures used for public key encryption and signing
of e-mail messages. An attacker could use this flaw to spoof a signature by
modifying the text of the e-mail message displayed to the user. (CVE-2009-0547)

It was discovered that evolution did not properly validate NTLM (NT LAN
Manager) authentication challenge packets. A malicious server using NTLM
authentication could cause evolution to disclose portions of its memory or
crash during user authentication. (CVE-2009-0582)

Multiple integer overflow flaws which could cause heap-based buffer
overflows were found in the Base64 encoding routines used by evolution and
evolution-data-server. This could cause evolution, or an application using
evolution-data-server, to crash, or, possibly, execute an arbitrary code
when large untrusted data blocks were Base64-encoded. (CVE-2009-0587)

All users of evolution and evolution-data-server are advised to upgrade to
these updated packages, which contain backported patches to correct these
issues. All running instances of evolution and evolution-data-server must
be restarted for the update to take effect.


Solution

Before applying this update, make sure that all previously-released
errata relevant to your system have been applied.

This update is available via Red Hat Network. Details on how to use
the Red Hat Network to apply this update are available at
http://kbase.redhat.com/faq/docs/DOC-11259

Updated packages

Red Hat Desktop (v. 4)
SRPMS:
evolution-2.0.2-41.el4_7.2.src.rpm     b2099280cdc2e800b91ef376723598a0
evolution-data-server-1.0.2-14.el4_7.1.src.rpm     a25472b34b32d352dc5095880ae399d7
 
IA-32:
evolution-2.0.2-41.el4_7.2.i386.rpm     49331fb4e97b0c1a69c3acc2b03a9c15
evolution-data-server-1.0.2-14.el4_7.1.i386.rpm     4e2f890550c66de5d45afbbddaed7fba
evolution-data-server-devel-1.0.2-14.el4_7.1.i386.rpm     c00f80c33b4968601918da4a1f8efdb6
evolution-devel-2.0.2-41.el4_7.2.i386.rpm     c23f73e6b4affcc2d0953a807a16a817
 
x86_64:
evolution-2.0.2-41.el4_7.2.x86_64.rpm     59c0a49d79dd7c4311d459959e83d01d
evolution-data-server-1.0.2-14.el4_7.1.i386.rpm     4e2f890550c66de5d45afbbddaed7fba
evolution-data-server-1.0.2-14.el4_7.1.x86_64.rpm     31236005484618069059d893c9d4eafa
evolution-data-server-devel-1.0.2-14.el4_7.1.x86_64.rpm     73b590c385e57212778a6e12f369c47d
evolution-devel-2.0.2-41.el4_7.2.x86_64.rpm     154ff3339a8c83f289e3699e24ecb132
 
Red Hat Enterprise Linux AS (v. 4)
SRPMS:
evolution-2.0.2-41.el4_7.2.src.rpm     b2099280cdc2e800b91ef376723598a0
evolution-data-server-1.0.2-14.el4_7.1.src.rpm     a25472b34b32d352dc5095880ae399d7
 
IA-32:
evolution-2.0.2-41.el4_7.2.i386.rpm     49331fb4e97b0c1a69c3acc2b03a9c15
evolution-data-server-1.0.2-14.el4_7.1.i386.rpm     4e2f890550c66de5d45afbbddaed7fba
evolution-data-server-devel-1.0.2-14.el4_7.1.i386.rpm     c00f80c33b4968601918da4a1f8efdb6
evolution-devel-2.0.2-41.el4_7.2.i386.rpm     c23f73e6b4affcc2d0953a807a16a817
 
IA-64:
evolution-2.0.2-41.el4_7.2.ia64.rpm     f9a5c46d3e3a0d35852735c9b8f75829
evolution-data-server-1.0.2-14.el4_7.1.ia64.rpm     42a172ec5d06fcef6b8a9a37b0943fe4
evolution-data-server-devel-1.0.2-14.el4_7.1.ia64.rpm     d54e2ca7ff76ef551995383d5468ef1f
evolution-devel-2.0.2-41.el4_7.2.ia64.rpm     30eaf03f310795e84b30dc1f10bb25d1
 
PPC:
evolution-2.0.2-41.el4_7.2.ppc.rpm     903de15997484c32ab556e85e5d87117
evolution-data-server-1.0.2-14.el4_7.1.ppc.rpm     9609fc28b85879eeefa11926e10192e0
evolution-data-server-devel-1.0.2-14.el4_7.1.ppc.rpm     eaea6aaa397fff11e5cc3b022b5e4a43
evolution-devel-2.0.2-41.el4_7.2.ppc.rpm     4bda3d299deabc6b52640b84c08eb799
 
s390:
evolution-2.0.2-41.el4_7.2.s390.rpm     5fe26eb561a6813a48380207a4f3f8f9
evolution-data-server-1.0.2-14.el4_7.1.s390.rpm     754715236e75f4f96a622d078e5bd1a7
evolution-data-server-devel-1.0.2-14.el4_7.1.s390.rpm     324daae57e7251798bdbc8b597702468
evolution-devel-2.0.2-41.el4_7.2.s390.rpm     c22175635ecbbc1274cfeb6d699aff61
 
s390x:
evolution-2.0.2-41.el4_7.2.s390x.rpm     2baad505ae4fef1dc148b8f93453a890
evolution-data-server-1.0.2-14.el4_7.1.s390x.rpm     fc82a6eed70286205d684dd7b35e0164
evolution-data-server-devel-1.0.2-14.el4_7.1.s390x.rpm     4b67b87315035e012e469dd56c18d930
evolution-devel-2.0.2-41.el4_7.2.s390x.rpm     69b6421ede5673e4f5f54e8e5e2a6f48
 
x86_64:
evolution-2.0.2-41.el4_7.2.x86_64.rpm     59c0a49d79dd7c4311d459959e83d01d
evolution-data-server-1.0.2-14.el4_7.1.i386.rpm     4e2f890550c66de5d45afbbddaed7fba
evolution-data-server-1.0.2-14.el4_7.1.x86_64.rpm     31236005484618069059d893c9d4eafa
evolution-data-server-devel-1.0.2-14.el4_7.1.x86_64.rpm     73b590c385e57212778a6e12f369c47d
evolution-devel-2.0.2-41.el4_7.2.x86_64.rpm     154ff3339a8c83f289e3699e24ecb132
 
Red Hat Enterprise Linux AS (v. 4.7.z)
SRPMS:
evolution-2.0.2-41.el4_7.2.src.rpm     b2099280cdc2e800b91ef376723598a0
evolution-data-server-1.0.2-14.el4_7.1.src.rpm     a25472b34b32d352dc5095880ae399d7
 
IA-32:
evolution-2.0.2-41.el4_7.2.i386.rpm     49331fb4e97b0c1a69c3acc2b03a9c15
evolution-data-server-1.0.2-14.el4_7.1.i386.rpm     4e2f890550c66de5d45afbbddaed7fba
evolution-data-server-devel-1.0.2-14.el4_7.1.i386.rpm     c00f80c33b4968601918da4a1f8efdb6
evolution-devel-2.0.2-41.el4_7.2.i386.rpm     c23f73e6b4affcc2d0953a807a16a817
 
IA-64:
evolution-2.0.2-41.el4_7.2.ia64.rpm     f9a5c46d3e3a0d35852735c9b8f75829
evolution-data-server-1.0.2-14.el4_7.1.ia64.rpm     42a172ec5d06fcef6b8a9a37b0943fe4
evolution-data-server-devel-1.0.2-14.el4_7.1.ia64.rpm     d54e2ca7ff76ef551995383d5468ef1f
evolution-devel-2.0.2-41.el4_7.2.ia64.rpm     30eaf03f310795e84b30dc1f10bb25d1
 
PPC:
evolution-2.0.2-41.el4_7.2.ppc.rpm     903de15997484c32ab556e85e5d87117
evolution-data-server-1.0.2-14.el4_7.1.ppc.rpm     9609fc28b85879eeefa11926e10192e0
evolution-data-server-devel-1.0.2-14.el4_7.1.ppc.rpm     eaea6aaa397fff11e5cc3b022b5e4a43
evolution-devel-2.0.2-41.el4_7.2.ppc.rpm     4bda3d299deabc6b52640b84c08eb799
 
s390:
evolution-2.0.2-41.el4_7.2.s390.rpm     5fe26eb561a6813a48380207a4f3f8f9
evolution-data-server-1.0.2-14.el4_7.1.s390.rpm     754715236e75f4f96a622d078e5bd1a7
evolution-data-server-devel-1.0.2-14.el4_7.1.s390.rpm     324daae57e7251798bdbc8b597702468
evolution-devel-2.0.2-41.el4_7.2.s390.rpm     c22175635ecbbc1274cfeb6d699aff61
 
s390x:
evolution-2.0.2-41.el4_7.2.s390x.rpm     2baad505ae4fef1dc148b8f93453a890
evolution-data-server-1.0.2-14.el4_7.1.s390x.rpm     fc82a6eed70286205d684dd7b35e0164
evolution-data-server-devel-1.0.2-14.el4_7.1.s390x.rpm     4b67b87315035e012e469dd56c18d930
evolution-devel-2.0.2-41.el4_7.2.s390x.rpm     69b6421ede5673e4f5f54e8e5e2a6f48
 
x86_64:
evolution-2.0.2-41.el4_7.2.x86_64.rpm     59c0a49d79dd7c4311d459959e83d01d
evolution-data-server-1.0.2-14.el4_7.1.i386.rpm     4e2f890550c66de5d45afbbddaed7fba
evolution-data-server-1.0.2-14.el4_7.1.x86_64.rpm     31236005484618069059d893c9d4eafa
evolution-data-server-devel-1.0.2-14.el4_7.1.x86_64.rpm     73b590c385e57212778a6e12f369c47d
evolution-devel-2.0.2-41.el4_7.2.x86_64.rpm     154ff3339a8c83f289e3699e24ecb132
 
Red Hat Enterprise Linux ES (v. 4)
SRPMS:
evolution-2.0.2-41.el4_7.2.src.rpm     b2099280cdc2e800b91ef376723598a0
evolution-data-server-1.0.2-14.el4_7.1.src.rpm     a25472b34b32d352dc5095880ae399d7
 
IA-32:
evolution-2.0.2-41.el4_7.2.i386.rpm     49331fb4e97b0c1a69c3acc2b03a9c15
evolution-data-server-1.0.2-14.el4_7.1.i386.rpm     4e2f890550c66de5d45afbbddaed7fba
evolution-data-server-devel-1.0.2-14.el4_7.1.i386.rpm     c00f80c33b4968601918da4a1f8efdb6
evolution-devel-2.0.2-41.el4_7.2.i386.rpm     c23f73e6b4affcc2d0953a807a16a817
 
IA-64:
evolution-2.0.2-41.el4_7.2.ia64.rpm     f9a5c46d3e3a0d35852735c9b8f75829
evolution-data-server-1.0.2-14.el4_7.1.ia64.rpm     42a172ec5d06fcef6b8a9a37b0943fe4
evolution-data-server-devel-1.0.2-14.el4_7.1.ia64.rpm     d54e2ca7ff76ef551995383d5468ef1f
evolution-devel-2.0.2-41.el4_7.2.ia64.rpm     30eaf03f310795e84b30dc1f10bb25d1
 
x86_64:
evolution-2.0.2-41.el4_7.2.x86_64.rpm     59c0a49d79dd7c4311d459959e83d01d
evolution-data-server-1.0.2-14.el4_7.1.i386.rpm     4e2f890550c66de5d45afbbddaed7fba
evolution-data-server-1.0.2-14.el4_7.1.x86_64.rpm     31236005484618069059d893c9d4eafa
evolution-data-server-devel-1.0.2-14.el4_7.1.x86_64.rpm     73b590c385e57212778a6e12f369c47d
evolution-devel-2.0.2-41.el4_7.2.x86_64.rpm     154ff3339a8c83f289e3699e24ecb132
 
Red Hat Enterprise Linux ES (v. 4.7.z)
SRPMS:
evolution-2.0.2-41.el4_7.2.src.rpm     b2099280cdc2e800b91ef376723598a0
evolution-data-server-1.0.2-14.el4_7.1.src.rpm     a25472b34b32d352dc5095880ae399d7
 
IA-32:
evolution-2.0.2-41.el4_7.2.i386.rpm     49331fb4e97b0c1a69c3acc2b03a9c15
evolution-data-server-1.0.2-14.el4_7.1.i386.rpm     4e2f890550c66de5d45afbbddaed7fba
evolution-data-server-devel-1.0.2-14.el4_7.1.i386.rpm     c00f80c33b4968601918da4a1f8efdb6
evolution-devel-2.0.2-41.el4_7.2.i386.rpm     c23f73e6b4affcc2d0953a807a16a817
 
IA-64:
evolution-2.0.2-41.el4_7.2.ia64.rpm     f9a5c46d3e3a0d35852735c9b8f75829
evolution-data-server-1.0.2-14.el4_7.1.ia64.rpm     42a172ec5d06fcef6b8a9a37b0943fe4
evolution-data-server-devel-1.0.2-14.el4_7.1.ia64.rpm     d54e2ca7ff76ef551995383d5468ef1f
evolution-devel-2.0.2-41.el4_7.2.ia64.rpm     30eaf03f310795e84b30dc1f10bb25d1
 
x86_64:
evolution-2.0.2-41.el4_7.2.x86_64.rpm     59c0a49d79dd7c4311d459959e83d01d
evolution-data-server-1.0.2-14.el4_7.1.i386.rpm     4e2f890550c66de5d45afbbddaed7fba
evolution-data-server-1.0.2-14.el4_7.1.x86_64.rpm     31236005484618069059d893c9d4eafa
evolution-data-server-devel-1.0.2-14.el4_7.1.x86_64.rpm     73b590c385e57212778a6e12f369c47d
evolution-devel-2.0.2-41.el4_7.2.x86_64.rpm     154ff3339a8c83f289e3699e24ecb132
 
Red Hat Enterprise Linux WS (v. 4)
SRPMS:
evolution-2.0.2-41.el4_7.2.src.rpm     b2099280cdc2e800b91ef376723598a0
evolution-data-server-1.0.2-14.el4_7.1.src.rpm     a25472b34b32d352dc5095880ae399d7
 
IA-32:
evolution-2.0.2-41.el4_7.2.i386.rpm     49331fb4e97b0c1a69c3acc2b03a9c15
evolution-data-server-1.0.2-14.el4_7.1.i386.rpm     4e2f890550c66de5d45afbbddaed7fba
evolution-data-server-devel-1.0.2-14.el4_7.1.i386.rpm     c00f80c33b4968601918da4a1f8efdb6
evolution-devel-2.0.2-41.el4_7.2.i386.rpm     c23f73e6b4affcc2d0953a807a16a817
 
IA-64:
evolution-2.0.2-41.el4_7.2.ia64.rpm     f9a5c46d3e3a0d35852735c9b8f75829
evolution-data-server-1.0.2-14.el4_7.1.ia64.rpm     42a172ec5d06fcef6b8a9a37b0943fe4
evolution-data-server-devel-1.0.2-14.el4_7.1.ia64.rpm     d54e2ca7ff76ef551995383d5468ef1f
evolution-devel-2.0.2-41.el4_7.2.ia64.rpm     30eaf03f310795e84b30dc1f10bb25d1
 
x86_64:
evolution-2.0.2-41.el4_7.2.x86_64.rpm     59c0a49d79dd7c4311d459959e83d01d
evolution-data-server-1.0.2-14.el4_7.1.i386.rpm     4e2f890550c66de5d45afbbddaed7fba
evolution-data-server-1.0.2-14.el4_7.1.x86_64.rpm     31236005484618069059d893c9d4eafa
evolution-data-server-devel-1.0.2-14.el4_7.1.x86_64.rpm     73b590c385e57212778a6e12f369c47d
evolution-devel-2.0.2-41.el4_7.2.x86_64.rpm     154ff3339a8c83f289e3699e24ecb132
 
(The unlinked packages above are only available from the Red Hat Network)

Bugs fixed (see bugzilla for more information)

484925 - CVE-2009-0547 evolution-data-server: S/MIME signatures are considered to be valid even for modified messages (MITM)
487685 - CVE-2009-0582 evolution-data-server: insufficient checking of NTLM authentication challenge packets
488226 - CVE-2009-0587 evolution-data-server: integer overflow in base64 encoding functions


References

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0547
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0582
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0587
http://www.redhat.com/security/updates/classification/#moderate

These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:
https://www.redhat.com/security/team/key/#package

The Red Hat security contact is secalert@redhat.com. More contact details at http://www.redhat.com/security/team/contact/