Search This Blog

Friday, June 29, 2007

[SECURITY] [DSA 1325-1] New evolution packages fix arbitrary code execution

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- --------------------------------------------------------------------------
Debian Security Advisory DSA 1325-1 security@debian.org
http://www.debian.org/security/

Moritz Muehlenhoff
June 29th, 2007

http://www.debian.org/security/faq
- --------------------------------------------------------------------------

Package : evolution
Vulnerability : several
Problem-Type : remote
Debian-specific: no
CVE ID : CVE-2007-1002 CVE-2007-3257

Several remote vulnerabilities have been discovered in Evolution, a
groupware suite with mail client and organizer. The Common Vulnerabilities
and Exposures project identifies the following problems:

CVE-2007-1002

Ulf Harnhammer discovered that a format string vulnerability in
the handling of shared calendars may allow the execution of arbitrary
code.

CVE-2007-3257

It was discovered that the IMAP code in the Evolution Data Server
performs insufficient sanitising of a value later used an array index,
which can lead to the execution of arbitrary code.

For the oldstable distribution (sarge) these problems have been fixed in
version 2.0.4-2sarge2. Packages for hppa, mips and powerpc are not yet
available. They will be provided later.

For the stable distribution (etch) these problems have been fixed
in version 2.6.3-6etch1. Packages for mips are not yet available. They
will be provided later.

For the unstable distribution (sid) these problems will be fixed soon.

We recommend that you upgrade your evolution packages.


Upgrade Instructions
- --------------------

wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
will update the internal database
apt-get upgrade
will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian GNU/Linux 4.0 alias etch
- -------------------------------

Source archives:

http://security.debian.org/pool/updates/main/e/evolution/evolution_2.6.3-6etch1.dsc

Size/MD5 checksum: 1977 578b24366558cbb610a52fde5df44b3b

http://security.debian.org/pool/updates/main/e/evolution/evolution_2.6.3-6etch1.diff.gz

Size/MD5 checksum: 54055 12965737c082f0532cf2d27cd7627a47

http://security.debian.org/pool/updates/main/e/evolution/evolution_2.6.3.orig.tar.gz

Size/MD5 checksum: 17176288 7af880364d53b18ba72b1f85f3813c81

Architecture independent components:

http://security.debian.org/pool/updates/main/e/evolution/evolution-common_2.6.3-6etch1_all.deb

Size/MD5 checksum: 10103432 5b0a1644494c4200d85c8ec4dcf578bd

Alpha architecture:

http://security.debian.org/pool/updates/main/e/evolution/evolution_2.6.3-6etch1_alpha.deb

Size/MD5 checksum: 2740178 58094673290b0d2f0f02724409f8de73

http://security.debian.org/pool/updates/main/e/evolution/evolution-dbg_2.6.3-6etch1_alpha.deb

Size/MD5 checksum: 6443430 c9a5ad93c1d5ef443c012997c32f7c92

http://security.debian.org/pool/updates/main/e/evolution/evolution-dev_2.6.3-6etch1_alpha.deb

Size/MD5 checksum: 218784 1d29838627ce81b8ed50959553a2e8bf

http://security.debian.org/pool/updates/main/e/evolution/evolution-plugins_2.6.3-6etch1_alpha.deb

Size/MD5 checksum: 119354 df6e947cef9e051d7e20a1dcebd82415

http://security.debian.org/pool/updates/main/e/evolution/evolution-plugins-experimental_2.6.3-6etch1_alpha.deb

Size/MD5 checksum: 94514 6fa19364ce5e782a4dfed7e18ecc3e37

AMD64 architecture:

http://security.debian.org/pool/updates/main/e/evolution/evolution_2.6.3-6etch1_amd64.deb

Size/MD5 checksum: 2564562 c8421df9d8ca72b77334540c46b5198f

http://security.debian.org/pool/updates/main/e/evolution/evolution-dbg_2.6.3-6etch1_amd64.deb

Size/MD5 checksum: 6504728 525c0348998ec55980c3fd3384a0b6f0

http://security.debian.org/pool/updates/main/e/evolution/evolution-dev_2.6.3-6etch1_amd64.deb

Size/MD5 checksum: 213638 9bac9cf35da6ffe9cb19abb20ba63aed

http://security.debian.org/pool/updates/main/e/evolution/evolution-plugins_2.6.3-6etch1_amd64.deb

Size/MD5 checksum: 117566 8415d9121b8c63e25b3cdf8109b43f81

http://security.debian.org/pool/updates/main/e/evolution/evolution-plugins-experimental_2.6.3-6etch1_amd64.deb

Size/MD5 checksum: 94500 5fa8d2938b94f43216dc2170291da97d

ARM architecture:

http://security.debian.org/pool/updates/main/e/evolution/evolution_2.6.3-6etch1_arm.deb

Size/MD5 checksum: 2250610 44497cf9d0a45358384187ac7efab563

http://security.debian.org/pool/updates/main/e/evolution/evolution-dbg_2.6.3-6etch1_arm.deb

Size/MD5 checksum: 6188510 37315f3a07a716a6e5023aa6607fdf7c

http://security.debian.org/pool/updates/main/e/evolution/evolution-dev_2.6.3-6etch1_arm.deb

Size/MD5 checksum: 213906 d5ad98f0c51b42a0d59edfe162c6e946

http://security.debian.org/pool/updates/main/e/evolution/evolution-plugins_2.6.3-6etch1_arm.deb

Size/MD5 checksum: 110274 e538017a89ae1122088990fc3d887cd5

http://security.debian.org/pool/updates/main/e/evolution/evolution-plugins-experimental_2.6.3-6etch1_arm.deb

Size/MD5 checksum: 91444 f179118a62ff229743e6847a7ce1b56d

HP Precision architecture:

http://security.debian.org/pool/updates/main/e/evolution/evolution_2.6.3-6etch1_hppa.deb

Size/MD5 checksum: 2857208 b647321570b2388244ca7aee5807e16b

http://security.debian.org/pool/updates/main/e/evolution/evolution-dbg_2.6.3-6etch1_hppa.deb

Size/MD5 checksum: 6436170 d324495c0bdd05d1c6f4929b84c2ea36

http://security.debian.org/pool/updates/main/e/evolution/evolution-dev_2.6.3-6etch1_hppa.deb

Size/MD5 checksum: 213704 1af2551c6e854634dd5ce597e60e9487

http://security.debian.org/pool/updates/main/e/evolution/evolution-plugins_2.6.3-6etch1_hppa.deb

Size/MD5 checksum: 120416 4a1d0998c2f924b3de5017fdb4a8c5d8

http://security.debian.org/pool/updates/main/e/evolution/evolution-plugins-experimental_2.6.3-6etch1_hppa.deb

Size/MD5 checksum: 95478 93bed95e8bd6dad12d3465c8ed6be0db

Intel IA-32 architecture:

http://security.debian.org/pool/updates/main/e/evolution/evolution_2.6.3-6etch1_i386.deb

Size/MD5 checksum: 2403898 e0fe291efb927324afc9fec7a2dc53f6

http://security.debian.org/pool/updates/main/e/evolution/evolution-dbg_2.6.3-6etch1_i386.deb

Size/MD5 checksum: 6137476 0c5d0d9151dfb363cb9291181eb4a82b

http://security.debian.org/pool/updates/main/e/evolution/evolution-dev_2.6.3-6etch1_i386.deb

Size/MD5 checksum: 213648 94560dc3d0349489e04571f1ddb5a099

http://security.debian.org/pool/updates/main/e/evolution/evolution-plugins_2.6.3-6etch1_i386.deb

Size/MD5 checksum: 113164 747f1de321552792da380c4048037216

http://security.debian.org/pool/updates/main/e/evolution/evolution-plugins-experimental_2.6.3-6etch1_i386.deb

Size/MD5 checksum: 92396 cad5b0c3acfcd59001fc76587869ee10

Intel IA-64 architecture:

http://security.debian.org/pool/updates/main/e/evolution/evolution_2.6.3-6etch1_ia64.deb

Size/MD5 checksum: 3419724 cdf39b6755216b8a72a8810d77166516

http://security.debian.org/pool/updates/main/e/evolution/evolution-dbg_2.6.3-6etch1_ia64.deb

Size/MD5 checksum: 6137680 c713dafa4535471d1304298c900631e9

http://security.debian.org/pool/updates/main/e/evolution/evolution-dev_2.6.3-6etch1_ia64.deb

Size/MD5 checksum: 213634 9b819bc46ce79faef462a7eb71773050

http://security.debian.org/pool/updates/main/e/evolution/evolution-plugins_2.6.3-6etch1_ia64.deb

Size/MD5 checksum: 129692 d4e1d68c1190f50adb9da1472754ff32

http://security.debian.org/pool/updates/main/e/evolution/evolution-plugins-experimental_2.6.3-6etch1_ia64.deb

Size/MD5 checksum: 99584 9bae1417cb9656164310660ad4860f08

Little endian MIPS architecture:

http://security.debian.org/pool/updates/main/e/evolution/evolution_2.6.3-6etch1_mipsel.deb

Size/MD5 checksum: 2334086 f2dae7d431375bc0570206ba968a72d2

http://security.debian.org/pool/updates/main/e/evolution/evolution-dbg_2.6.3-6etch1_mipsel.deb

Size/MD5 checksum: 6484682 592f1e0ee53eb7e54e2be832076fd06a

http://security.debian.org/pool/updates/main/e/evolution/evolution-dev_2.6.3-6etch1_mipsel.deb

Size/MD5 checksum: 213670 d7272b29aef4160640556d60abf03def

http://security.debian.org/pool/updates/main/e/evolution/evolution-plugins_2.6.3-6etch1_mipsel.deb

Size/MD5 checksum: 112214 a0cd549d60096deb37759c28e08872d5

http://security.debian.org/pool/updates/main/e/evolution/evolution-plugins-experimental_2.6.3-6etch1_mipsel.deb

Size/MD5 checksum: 92442 fe82fee493dfd6f6f41b1cc152c8534e

PowerPC architecture:

http://security.debian.org/pool/updates/main/e/evolution/evolution_2.6.3-6etch1_powerpc.deb

Size/MD5 checksum: 2465894 39e6a477a30c49e42e496fc4c0b09c90

http://security.debian.org/pool/updates/main/e/evolution/evolution-dbg_2.6.3-6etch1_powerpc.deb

Size/MD5 checksum: 6513656 0666ce31cad6c1e28fe9e3d89aec8bf1

http://security.debian.org/pool/updates/main/e/evolution/evolution-dev_2.6.3-6etch1_powerpc.deb

Size/MD5 checksum: 213664 f2d904adba62e249336ec494f76a1fa5

http://security.debian.org/pool/updates/main/e/evolution/evolution-plugins_2.6.3-6etch1_powerpc.deb

Size/MD5 checksum: 124958 d17c947715c7f22ec36ed8eb2c42bfe6

http://security.debian.org/pool/updates/main/e/evolution/evolution-plugins-experimental_2.6.3-6etch1_powerpc.deb

Size/MD5 checksum: 99208 e36c5636970a8bf62791f1bfcdd52cb5

IBM S/390 architecture:

http://security.debian.org/pool/updates/main/e/evolution/evolution_2.6.3-6etch1_s390.deb

Size/MD5 checksum: 2690750 5fdde7518305b8e1b5ea620b672a676f

http://security.debian.org/pool/updates/main/e/evolution/evolution-dbg_2.6.3-6etch1_s390.deb

Size/MD5 checksum: 6397252 e6b747d66ff2f2509f2e9917e9c17a97

http://security.debian.org/pool/updates/main/e/evolution/evolution-dev_2.6.3-6etch1_s390.deb

Size/MD5 checksum: 213624 45a273c5d4ada0b910f0dc727bea5960

http://security.debian.org/pool/updates/main/e/evolution/evolution-plugins_2.6.3-6etch1_s390.deb

Size/MD5 checksum: 118260 cc9f6b42fa9e89d8b762292e5087a2bf

http://security.debian.org/pool/updates/main/e/evolution/evolution-plugins-experimental_2.6.3-6etch1_s390.deb

Size/MD5 checksum: 94170 b7c20d6bea74454b0fb344fab1f0c1a6

Sun Sparc architecture:

http://security.debian.org/pool/updates/main/e/evolution/evolution_2.6.3-6etch1_sparc.deb

Size/MD5 checksum: 2375188 9688ef4d3c948c77c8f9ec243fa13ffe

http://security.debian.org/pool/updates/main/e/evolution/evolution-dbg_2.6.3-6etch1_sparc.deb

Size/MD5 checksum: 6022044 1648818f346aa0e18ad7b9a6f47c4e51

http://security.debian.org/pool/updates/main/e/evolution/evolution-dev_2.6.3-6etch1_sparc.deb

Size/MD5 checksum: 213672 d666053b367b337d1393d8cd99acb2d2

http://security.debian.org/pool/updates/main/e/evolution/evolution-plugins_2.6.3-6etch1_sparc.deb

Size/MD5 checksum: 111144 2ab6e4a9e36b01b00356a0c0d8306e5b

http://security.debian.org/pool/updates/main/e/evolution/evolution-plugins-experimental_2.6.3-6etch1_sparc.deb

Size/MD5 checksum: 91356 d13430ac396cd25d464de07f0e809b92

Debian GNU/Linux 3.1 alias sarge
- --------------------------------

Source archives:

http://security.debian.org/pool/updates/main/e/evolution/evolution_2.0.4-2sarge2.dsc

Size/MD5 checksum: 1167 099060ef401e9bd005ecce322b2b1905

http://security.debian.org/pool/updates/main/e/evolution/evolution_2.0.4-2sarge2.diff.gz

Size/MD5 checksum: 293848 a0eecfdbfba9f098d200c6add4a27707

http://security.debian.org/pool/updates/main/e/evolution/evolution_2.0.4.orig.tar.gz

Size/MD5 checksum: 20968383 d555a0b1d56f0f0b9c33c35b057f73e6

Alpha architecture:

http://security.debian.org/pool/updates/main/e/evolution/evolution_2.0.4-2sarge2_alpha.deb

Size/MD5 checksum: 10648460 2cc1271a6bf74c07dda2e20b95215673

http://security.debian.org/pool/updates/main/e/evolution/evolution-dev_2.0.4-2sarge2_alpha.deb

Size/MD5 checksum: 163046 a6377c8f6cbc0ba6a18df3ab9f2573ea

AMD64 architecture:

http://security.debian.org/pool/updates/main/e/evolution/evolution_2.0.4-2sarge2_amd64.deb

Size/MD5 checksum: 10447646 b4f3f8a0e9a6cb98858d7af4bde78c19

http://security.debian.org/pool/updates/main/e/evolution/evolution-dev_2.0.4-2sarge2_amd64.deb

Size/MD5 checksum: 160332 7abdb02216902914d11f29f1f1f59024

ARM architecture:

http://security.debian.org/pool/updates/main/e/evolution/evolution_2.0.4-2sarge2_arm.deb

Size/MD5 checksum: 10251532 8e442313f5bed9aeebc63665bc41fb46

http://security.debian.org/pool/updates/main/e/evolution/evolution-dev_2.0.4-2sarge2_arm.deb

Size/MD5 checksum: 160552 7f3e4a5e9b7c245aa9412cfe04434921

Intel IA-32 architecture:

http://security.debian.org/pool/updates/main/e/evolution/evolution_2.0.4-2sarge2_i386.deb

Size/MD5 checksum: 10232410 a4afa05be3fd2916e18e8633e1a409c7

http://security.debian.org/pool/updates/main/e/evolution/evolution-dev_2.0.4-2sarge2_i386.deb

Size/MD5 checksum: 160362 2abbd56ddb2e6fbea4db658bbec5f7f0

Intel IA-64 architecture:

http://security.debian.org/pool/updates/main/e/evolution/evolution_2.0.4-2sarge2_ia64.deb

Size/MD5 checksum: 11419386 6116133ec485569c945402d7a07870d2

http://security.debian.org/pool/updates/main/e/evolution/evolution-dev_2.0.4-2sarge2_ia64.deb

Size/MD5 checksum: 160326 2dc98f5a820e1cce1b639abd74d78ba7

Motorola 680x0 architecture:

http://security.debian.org/pool/updates/main/e/evolution/evolution_2.0.4-2sarge2_m68k.deb

Size/MD5 checksum: 10387558 62b1d6f774f927862b6a8c1e83aa90a4

http://security.debian.org/pool/updates/main/e/evolution/evolution-dev_2.0.4-2sarge2_m68k.deb

Size/MD5 checksum: 160774 c32e6f33fee20a264f75b904d7f5486e

Little endian MIPS architecture:

http://security.debian.org/pool/updates/main/e/evolution/evolution_2.0.4-2sarge2_mipsel.deb

Size/MD5 checksum: 10195334 5cc12dae2c5554048e578f506da61edb

http://security.debian.org/pool/updates/main/e/evolution/evolution-dev_2.0.4-2sarge2_mipsel.deb

Size/MD5 checksum: 160396 0e3d20548f09988d54e169a8aef9195b

IBM S/390 architecture:

http://security.debian.org/pool/updates/main/e/evolution/evolution_2.0.4-2sarge2_s390.deb

Size/MD5 checksum: 10639100 e703df57d83a286068ccdbc0979cd9aa

http://security.debian.org/pool/updates/main/e/evolution/evolution-dev_2.0.4-2sarge2_s390.deb

Size/MD5 checksum: 160326 b5b24541c481378eade7e085e1cbf403

Sun Sparc architecture:

http://security.debian.org/pool/updates/main/e/evolution/evolution_2.0.4-2sarge2_sparc.deb

Size/MD5 checksum: 10349344 0cf504d0a4acd1a0078fd155f82a6f81

http://security.debian.org/pool/updates/main/e/evolution/evolution-dev_2.0.4-2sarge2_sparc.deb

Size/MD5 checksum: 160390 1907f5d66dda48a061b664726c5a8bee


These files will probably be moved into the stable distribution on
its next update.

- ---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce@lists.debian.org
Package info: `apt-cache show <pkg>' and http://packages.debian.org/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFGhR/YXm3vHE4uyloRAgbhAKDVto5or6DumtYkju44ysJyI3sGKQCfeIcH
bm6bjui7EBh5LheBcdJjSPc=
=Gidi
-----END PGP SIGNATURE-----


--
To UNSUBSCRIBE, email to debian-security-announce-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

No comments: