Mandriva Linux Security Advisory : evolution (MDVSA-2008:111)

This script is Copyright (C) 2009-2013 Tenable Network Security, Inc.


Synopsis :

The remote Mandriva Linux host is missing one or more security
updates.

Description :

Alan Rad Pop of Secunia Research discovered the following two
vulnerabilities in Evolution :

Evolution did not properly validate timezone data when processing
iCalendar attachments. If a user disabled the Itip Formatter plugin
and viewed a crafted iCalendar attachment, an attacker could cause a
denial of service or potentially execute arbitrary code with the
user's privileges (CVE-2008-1108).

Evolution also did not properly validate the DESCRIPTION field when
processing iCalendar attachments. If a user were tricked into
accepting a crafted iCalendar attachment and replied to it from the
calendar window, an attacker could cause a denial of service or
potentially execute arbitrary code with the user's privileges
(CVE-2008-1109).

In addition, Matej Cepl found that Evolution did not properly validate
date fields when processing iCalendar attachments, which could lead to
a denial of service if the user viewed a crafted iCalendar attachment
with the Itip Formatter plugin disabled.

Mandriva Linux has the Itip Formatter plugin enabled by default.

The updated packages have been patched to prevent these issues.

Solution :

Update the affected packages.

Risk factor :

High / CVSS Base Score : 9.3
(CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C)

Family: Mandriva Local Security Checks

Nessus Plugin ID: 37236 (mandriva_MDVSA-2008-111.nasl)

Bugtraq ID:

CVE ID: CVE-2008-1108
CVE-2008-1109

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now