Vulnerabilities > CVE-2005-2549 - Format String vulnerability in GNOME Evolution

047910
CVSS 7.5 - HIGH
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
PARTIAL
Integrity impact
PARTIAL
Availability impact
PARTIAL
network
low complexity
gnome
nessus

Summary

Multiple format string vulnerabilities in Evolution 1.5 through 2.3.6.1 allow remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via (1) full vCard data, (2) contact data from remote LDAP servers, or (3) task list data from remote servers.

Nessus

  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2005-743.NASL
    descriptionFix for SITIC Vulnerability Advisory SA05-001 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id19437
    published2005-08-18
    reporterThis script is Copyright (C) 2005-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/19437
    titleFedora Core 4 : evolution-2.2.3-2.fc4 (2005-743)
    code
    #%NASL_MIN_LEVEL 80502
    
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Fedora Security Advisory 2005-743.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(19437);
      script_version ("1.12");
      script_cvs_date("Date: 2019/08/02 13:32:24");
    
      script_cve_id("CVE-2005-2549", "CVE-2005-2550");
      script_xref(name:"FEDORA", value:"2005-743");
    
      script_name(english:"Fedora Core 4 : evolution-2.2.3-2.fc4 (2005-743)");
      script_summary(english:"Checks rpm output for the updated packages.");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Fedora Core host is missing a security update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Fix for SITIC Vulnerability Advisory SA05-001
    
    Note that Tenable Network Security has extracted the preceding
    description block directly from the Fedora security advisory. Tenable
    has attempted to automatically clean and format it as much as possible
    without introducing additional issues."
      );
      # https://lists.fedoraproject.org/pipermail/announce/2005-August/001215.html
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?715604a2"
      );
      script_set_attribute(
        attribute:"solution", 
        value:
    "Update the affected evolution, evolution-debuginfo and / or
    evolution-devel packages."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:evolution");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:evolution-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:evolution-devel");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:fedoraproject:fedora_core:4");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2005/08/11");
      script_set_attribute(attribute:"plugin_publication_date", value:"2005/08/18");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2005-2019 Tenable Network Security, Inc.");
      script_family(english:"Fedora Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/RedHat/release");
    if (isnull(release) || "Fedora" >!< release) audit(AUDIT_OS_NOT, "Fedora");
    os_ver = eregmatch(pattern: "Fedora.*release ([0-9]+)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Fedora");
    os_ver = os_ver[1];
    if (! ereg(pattern:"^4([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Fedora 4.x", "Fedora " + os_ver);
    
    if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Fedora", cpu);
    
    flag = 0;
    if (rpm_check(release:"FC4", reference:"evolution-2.2.3-2.fc4")) flag++;
    if (rpm_check(release:"FC4", reference:"evolution-debuginfo-2.2.3-2.fc4")) flag++;
    if (rpm_check(release:"FC4", reference:"evolution-devel-2.2.3-2.fc4")) flag++;
    
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());
      else security_hole(0);
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "evolution / evolution-debuginfo / evolution-devel");
    }
    
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DSA-1016.NASL
    descriptionUlf Harnhammar discovered several format string vulnerabilities in Evolution, a free groupware suite, that could lead to crashes of the application or the execution of arbitrary code.
    last seen2020-06-01
    modified2020-06-02
    plugin id22558
    published2006-10-14
    reporterThis script is Copyright (C) 2006-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/22558
    titleDebian DSA-1016-1 : evolution - format string vulnerabilities
  • NASL familyMandriva Local Security Checks
    NASL idMANDRAKE_MDKSA-2005-141.NASL
    descriptionMultiple format string vulnerabilities in Evolution 1.5 through 2.3.6.1 allow remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via (1) full vCard data, (2) contact data from remote LDAP servers, or (3) task list data from remote servers. (CVE-2005-2549) A format string vulnerability in Evolution 1.4 through 2.3.6.1 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via the calendar entries such as task lists, which are not properly handled when the user selects the Calendars tab. (CVE-2005-2550)
    last seen2020-06-01
    modified2020-06-02
    plugin id19898
    published2005-10-05
    reporterThis script is Copyright (C) 2005-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/19898
    titleMandrake Linux Security Advisory : evolution (MDKSA-2005:141)
  • NASL familyCentOS Local Security Checks
    NASL idCENTOS_RHSA-2005-267.NASL
    descriptionUpdated evolution packages that fix a format string issue are now available. This update has been rated as having important security impact by the Red Hat Security Response Team. Evolution is the GNOME collection of personal information management (PIM) tools. A format string bug was found in Evolution. If a user tries to save a carefully crafted meeting or appointment, arbitrary code may be executed as the user running Evolution. The Common Vulnerabilities and Exposures project has assigned the name CVE-2005-2550 to this issue. Additionally, several other format string bugs were found in Evolution. If a user views a malicious vCard, connects to a malicious LDAP server, or displays a task list from a malicious remote server, arbitrary code may be executed as the user running Evolution. The Common Vulnerabilities and Exposures project has assigned the name CVE-2005-2549 to this issue. Please note that this issue only affects Red Hat Enterprise Linux 4. All users of Evolution should upgrade to these updated packages, which contain a backported patch which resolves this issue.
    last seen2020-06-01
    modified2020-06-02
    plugin id21922
    published2006-07-05
    reporterThis script is Copyright (C) 2006-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/21922
    titleCentOS 3 / 4 : Evolution (CESA-2005:267)
  • NASL familyGentoo Local Security Checks
    NASL idGENTOO_GLSA-200508-12.NASL
    descriptionThe remote host is affected by the vulnerability described in GLSA-200508-12 (Evolution: Format string vulnerabilities) Ulf Harnhammar discovered that Evolution is vulnerable to format string bugs when viewing attached vCards and when displaying contact information from remote LDAP servers or task list data from remote servers (CAN-2005-2549). He also discovered that Evolution fails to handle special calendar entries if the user switches to the Calendars tab (CAN-2005-2550). Impact : An attacker could attach specially crafted vCards to emails or setup malicious LDAP servers or calendar entries which would trigger the format string vulnerabilities when viewed or accessed from Evolution. This could potentially result in the execution of arbitrary code with the rights of the user running Evolution. Workaround : There is no known workaround at this time.
    last seen2020-06-01
    modified2020-06-02
    plugin id19485
    published2005-08-23
    reporterThis script is Copyright (C) 2005-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/19485
    titleGLSA-200508-12 : Evolution: Format string vulnerabilities
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SA_2005_054.NASL
    descriptionThe remote host is missing the patch for the advisory SUSE-SA:2005:054 (evolution). Several format string bugs allowed remote attackers to cause evolution to crash or even execute code via full vCard data, contact data from remote LDAP servers, task list data from remote servers (CVE-2005-2549) or calendar entries (CVE-2005-2550).
    last seen2019-10-28
    modified2005-10-05
    plugin id19933
    published2005-10-05
    reporterThis script is Copyright (C) 2005-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/19933
    titleSUSE-SA:2005:054: evolution
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2005-267.NASL
    descriptionUpdated evolution packages that fix a format string issue are now available. This update has been rated as having important security impact by the Red Hat Security Response Team. Evolution is the GNOME collection of personal information management (PIM) tools. A format string bug was found in Evolution. If a user tries to save a carefully crafted meeting or appointment, arbitrary code may be executed as the user running Evolution. The Common Vulnerabilities and Exposures project has assigned the name CVE-2005-2550 to this issue. Additionally, several other format string bugs were found in Evolution. If a user views a malicious vCard, connects to a malicious LDAP server, or displays a task list from a malicious remote server, arbitrary code may be executed as the user running Evolution. The Common Vulnerabilities and Exposures project has assigned the name CVE-2005-2549 to this issue. Please note that this issue only affects Red Hat Enterprise Linux 4. All users of Evolution should upgrade to these updated packages, which contain a backported patch which resolves this issue.
    last seen2020-06-01
    modified2020-06-02
    plugin id19542
    published2005-08-30
    reporterThis script is Copyright (C) 2005-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/19542
    titleRHEL 3 / 4 : Evolution (RHSA-2005:267)
  • NASL familyFreeBSD Local Security Checks
    NASL idFREEBSD_PKG_E5AFDF63174611DA978E0001020EED82.NASL
    descriptionA SITIC Vulnerability Advisory reports : Evolution suffers from several format string bugs when handling data from remote sources. These bugs lead to crashes or the execution of arbitrary assembly language code. - The first format string bug occurs when viewing the full vCard data attached to an e-mail message. - The second format string bug occurs when displaying contact data from remote LDAP servers. - The third format string bug occurs when displaying task list data from remote servers. - The fourth, and least serious, format string bug occurs when the user goes to the Calendars tab to save task list data that is vulnerable to problem 3 above. Other calendar entries that do not come from task lists are also affected.
    last seen2020-06-01
    modified2020-06-02
    plugin id21526
    published2006-05-13
    reporterThis script is Copyright (C) 2006-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/21526
    titleFreeBSD : evolution -- remote format string vulnerabilities (e5afdf63-1746-11da-978e-0001020eed82)

Oval

accepted2013-04-29T04:20:12.531-04:00
classvulnerability
contributors
  • nameAharon Chernin
    organizationSCAP.com, LLC
  • nameDragos Prisaca
    organizationG2, Inc.
definition_extensions
  • commentThe operating system installed on the system is Red Hat Enterprise Linux 3
    ovaloval:org.mitre.oval:def:11782
  • commentCentOS Linux 3.x
    ovaloval:org.mitre.oval:def:16651
  • commentThe operating system installed on the system is Red Hat Enterprise Linux 4
    ovaloval:org.mitre.oval:def:11831
  • commentCentOS Linux 4.x
    ovaloval:org.mitre.oval:def:16636
  • commentOracle Linux 4.x
    ovaloval:org.mitre.oval:def:15990
descriptionMultiple format string vulnerabilities in Evolution 1.5 through 2.3.6.1 allow remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via (1) full vCard data, (2) contact data from remote LDAP servers, or (3) task list data from remote servers.
familyunix
idoval:org.mitre.oval:def:9553
statusaccepted
submitted2010-07-09T03:56:16-04:00
titleMultiple format string vulnerabilities in Evolution 1.5 through 2.3.6.1 allow remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via (1) full vCard data, (2) contact data from remote LDAP servers, or (3) task list data from remote servers.
version26

Redhat

advisories
rhsa
idRHSA-2005:267
rpms
  • evolution-0:1.4.5-16
  • evolution-0:2.0.2-16.3
  • evolution-debuginfo-0:1.4.5-16
  • evolution-debuginfo-0:2.0.2-16.3
  • evolution-devel-0:1.4.5-16
  • evolution-devel-0:2.0.2-16.3