Mandriva- Advisories MDVSA-2008:111: Updated Evolution packages fix vulnerabilities

[Mandriva]

Advisories MDVSA-2008:111: Updated Evolution packages fix vulnerabilities
Alan Rad Pop of Secunia Research discovered the following two
vulnerabilities in Evolution:

Evolution did not properly validate timezone data when processing
iCalendar attachments. If a user disabled the Itip Formatter plugin
and viewed a crafted iCalendar attachment, an attacker could cause
a denial of service or potentially execute arbitrary code with the
user's privileges (CVE-2008-1108).

Evolution also did not properly validate the DESCRIPTION field when
processing iCalendar attachments. If a user were tricked into
accepting a crafted iCalendar attachment and replied to it from
the calendar window, an attacker could cause a denial of service
or potentially execute arbitrary code with the user's privileges
(CVE-2008-1109).

In addition, Matej Cepl found that Evolution did not properly validate
date fields when processing iCalendar attachments, which could lead to
a denial of service if the user viewed a crafted iCalendar attachment
with the Itip Formatter plugin disabled.

Mandriva Linux has the Itip Formatter plugin enabled by default.

The updated packages have been patched to prevent these issues.
http://mandrivausers.org/index.php?showtopic=60664
http://mandrivausers.org/index.php?showtopic=60664
Tue, 10 Jun 2008 21:00:32 +0000