Vulnerabilities > CVE-2008-0072 - USE of Externally-Controlled Format String vulnerability in Gnome Evolution

047910
CVSS 6.8 - MEDIUM
Attack vector
NETWORK
Attack complexity
MEDIUM
Privileges required
NONE
Confidentiality impact
PARTIAL
Integrity impact
PARTIAL
Availability impact
PARTIAL
network
linux
gnome
CWE-134
nessus

Summary

Format string vulnerability in the emf_multipart_encrypted function in mail/em-format.c in Evolution 2.12.3 and earlier allows remote attackers to execute arbitrary code via a crafted encrypted message, as demonstrated using the Version field.

Vulnerable Configurations

Part Description Count
OS
Linux
1
Application
Gnome
117

Common Attack Pattern Enumeration and Classification (CAPEC)

  • Format String Injection
    An attacker includes formatting characters in a string input field on the target application. Most applications assume that users will provide static text and may respond unpredictably to the presence of formatting character. For example, in certain functions of the C programming languages such as printf, the formatting character %s will print the contents of a memory location expecting this location to identify a string and the formatting character %n prints the number of DWORD written in the memory. An attacker can use this to read or write to memory locations or files, or simply to manipulate the value of the resulting text in unexpected ways. Reading or writing memory may result in program crashes and writing memory could result in the execution of arbitrary code if the attacker can write to the program stack.
  • String Format Overflow in syslog()
    This attack targets the format string vulnerabilities in the syslog() function. An attacker would typically inject malicious input in the format string parameter of the syslog function. This is a common problem, and many public vulnerabilities and associated exploits have been posted.

Nessus

  • NASL familyUbuntu Local Security Checks
    NASL idUBUNTU_USN-583-1.NASL
    descriptionUlf Harnhammar discovered that Evolution did not correctly handle format strings when processing encrypted emails. A remote attacker could exploit this by sending a specially crafted email, resulting in arbitrary code execution. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id31405
    published2008-03-07
    reporterUbuntu Security Notice (C) 2008-2019 Canonical, Inc. / NASL script (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/31405
    titleUbuntu 6.06 LTS / 6.10 / 7.04 / 7.10 : evolution vulnerability (USN-583-1)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_EVOLUTION-5086.NASL
    descriptionThis update of evolution fixes multiple format-string vulnerabilities that can occur while processing encrypted messages. (CVE-2008-0072)
    last seen2020-06-01
    modified2020-06-02
    plugin id31453
    published2008-03-13
    reporterThis script is Copyright (C) 2008-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/31453
    titleSuSE 10 Security Update : evolution (ZYPP Patch Number 5086)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_EVOLUTION-5087.NASL
    descriptionThis update of evolution fixes multiple format-string vulnerabilities that can occur while processing encrypted messages. (CVE-2008-0072)
    last seen2020-06-01
    modified2020-06-02
    plugin id31454
    published2008-03-13
    reporterThis script is Copyright (C) 2008-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/31454
    titleopenSUSE 10 Security Update : evolution (evolution-5087)
  • NASL familyMandriva Local Security Checks
    NASL idMANDRIVA_MDVSA-2008-063.NASL
    descriptionUlf Harnhammar of Secunia Research discovered a format string flaw in how Evolution displayed encrypted mail content. If a user were to open a carefully crafted email message, arbitrary code could be executed with the permissions of the user running Evolution. The updated packages have been patched to correct this issue.
    last seen2020-06-01
    modified2020-06-02
    plugin id36634
    published2009-04-23
    reporterThis script is Copyright (C) 2009-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/36634
    titleMandriva Linux Security Advisory : evolution (MDVSA-2008:063)
  • NASL familyGentoo Local Security Checks
    NASL idGENTOO_GLSA-200803-12.NASL
    descriptionThe remote host is affected by the vulnerability described in GLSA-200803-12 (Evolution: Format string vulnerability) Ulf Harnhammar from Secunia Research discovered a format string error in the emf_multipart_encrypted() function in the file mail/em-format.c when reading certain data (e.g. the
    last seen2020-06-01
    modified2020-06-02
    plugin id31387
    published2008-03-07
    reporterThis script is Copyright (C) 2008-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/31387
    titleGLSA-200803-12 : Evolution: Format string vulnerability
  • NASL familyOracle Linux Local Security Checks
    NASL idORACLELINUX_ELSA-2008-0177.NASL
    descriptionFrom Red Hat Security Advisory 2008:0177 : Updated evolution packages that fix a format string bug are now available for Red Hat Enterprise Linux 4 and 5. This update has been rated as having critical security impact by the Red Hat Security Response Team. Evolution is the GNOME collection of personal information management (PIM) tools. A format string flaw was found in the way Evolution displayed encrypted mail content. If a user opened a carefully crafted mail message, arbitrary code could be executed as the user running Evolution. (CVE-2008-0072) All users of Evolution should upgrade to these updated packages, which contain a backported patch which resolves this issue. Red Hat would like to thank Ulf Harnhammar of Secunia Research for finding and reporting this issue.
    last seen2020-06-01
    modified2020-06-02
    plugin id67667
    published2013-07-12
    reporterThis script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/67667
    titleOracle Linux 4 : evolution (ELSA-2008-0177)
  • NASL familyCentOS Local Security Checks
    NASL idCENTOS_RHSA-2008-0177.NASL
    descriptionUpdated evolution packages that fix a format string bug are now available for Red Hat Enterprise Linux 4 and 5. This update has been rated as having critical security impact by the Red Hat Security Response Team. Evolution is the GNOME collection of personal information management (PIM) tools. A format string flaw was found in the way Evolution displayed encrypted mail content. If a user opened a carefully crafted mail message, arbitrary code could be executed as the user running Evolution. (CVE-2008-0072) All users of Evolution should upgrade to these updated packages, which contain a backported patch which resolves this issue. Red Hat would like to thank Ulf Harnhammar of Secunia Research for finding and reporting this issue.
    last seen2020-06-01
    modified2020-06-02
    plugin id31424
    published2008-03-13
    reporterThis script is Copyright (C) 2008-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/31424
    titleCentOS 4 / 5 : evolution (CESA-2008:0177)
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2008-0177.NASL
    descriptionUpdated evolution packages that fix a format string bug are now available for Red Hat Enterprise Linux 4 and 5. This update has been rated as having critical security impact by the Red Hat Security Response Team. Evolution is the GNOME collection of personal information management (PIM) tools. A format string flaw was found in the way Evolution displayed encrypted mail content. If a user opened a carefully crafted mail message, arbitrary code could be executed as the user running Evolution. (CVE-2008-0072) All users of Evolution should upgrade to these updated packages, which contain a backported patch which resolves this issue. Red Hat would like to thank Ulf Harnhammar of Secunia Research for finding and reporting this issue.
    last seen2020-06-01
    modified2020-06-02
    plugin id31389
    published2008-03-07
    reporterThis script is Copyright (C) 2008-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/31389
    titleRHEL 4 / 5 : evolution (RHSA-2008:0177)
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DSA-1512.NASL
    descriptionUlf Harnhammar discovered that Evolution, the e-mail and groupware suite, had a format string vulnerability in the parsing of encrypted mail messages. If the user opened a specially crafted email message, code execution was possible.
    last seen2020-06-01
    modified2020-06-02
    plugin id31359
    published2008-03-07
    reporterThis script is Copyright (C) 2008-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/31359
    titleDebian DSA-1512-1 : evolution - format string attack
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2008-2290.NASL
    descriptionUlf Harnhammar of Secunia Research discovered a format string flaw in the way Evolution displayed encrypted mail content. If a user opened a carefully crafted mail message, arbitrary code could be executed as the user running Evolution. (CVE-2008-0072) Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id31374
    published2008-03-07
    reporterThis script is Copyright (C) 2008-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/31374
    titleFedora 7 : evolution-2.10.3-8.fc7 (2008-2290)
  • NASL familyScientific Linux Local Security Checks
    NASL idSL_20080305_EVOLUTION_ON_SL4_X.NASL
    descriptionA format string flaw was found in the way Evolution displayed encrypted mail content. If a user opened a carefully crafted mail message, arbitrary code could be executed as the user running Evolution. (CVE-2008-0072)
    last seen2020-06-01
    modified2020-06-02
    plugin id60369
    published2012-08-01
    reporterThis script is Copyright (C) 2012-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/60369
    titleScientific Linux Security Update : evolution on SL4.x, SL5.x i386/x86_64
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2008-2292.NASL
    descriptionUlf Harnhammar of Secunia Research discovered a format string flaw in the way Evolution displayed encrypted mail content. If a user opened a carefully crafted mail message, arbitrary code could be executed as the user running Evolution. (CVE-2008-0072) Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id31375
    published2008-03-07
    reporterThis script is Copyright (C) 2008-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/31375
    titleFedora 8 : evolution-2.12.3-3.fc8 (2008-2292)
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2008-0178.NASL
    descriptionUpdated evolution packages that fix a format string bug are now available for Red Hat Enterprise Linux 4.5 Extended Update Support. This update has been rated as having critical security impact by the Red Hat Security Response Team. Evolution is the GNOME collection of personal information management (PIM) tools. A format string flaw was found in the way Evolution displayed encrypted mail content. If a user opened a carefully crafted mail message, arbitrary code could be executed as the user running Evolution. (CVE-2008-0072) All users of Evolution should upgrade to these updated packages, which contain a backported patch which resolves this issue. Red Hat would like to thank Ulf Harnhammar of Secunia Research for finding and reporting this issue.
    last seen2020-06-01
    modified2020-06-02
    plugin id63849
    published2013-01-24
    reporterThis script is Copyright (C) 2013-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/63849
    titleRHEL 4 : evolution (RHSA-2008:0178)

Oval

accepted2013-04-29T04:07:53.767-04:00
classvulnerability
contributors
  • nameAharon Chernin
    organizationSCAP.com, LLC
  • nameDragos Prisaca
    organizationG2, Inc.
definition_extensions
  • commentThe operating system installed on the system is Red Hat Enterprise Linux 4
    ovaloval:org.mitre.oval:def:11831
  • commentCentOS Linux 4.x
    ovaloval:org.mitre.oval:def:16636
  • commentOracle Linux 4.x
    ovaloval:org.mitre.oval:def:15990
  • commentThe operating system installed on the system is Red Hat Enterprise Linux 5
    ovaloval:org.mitre.oval:def:11414
  • commentThe operating system installed on the system is CentOS Linux 5.x
    ovaloval:org.mitre.oval:def:15802
  • commentOracle Linux 5.x
    ovaloval:org.mitre.oval:def:15459
descriptionFormat string vulnerability in the emf_multipart_encrypted function in mail/em-format.c in Evolution 2.12.3 and earlier allows remote attackers to execute arbitrary code via a crafted encrypted message, as demonstrated using the Version field.
familyunix
idoval:org.mitre.oval:def:10701
statusaccepted
submitted2010-07-09T03:56:16-04:00
titleFormat string vulnerability in the emf_multipart_encrypted function in mail/em-format.c in Evolution 2.12.3 and earlier allows remote attackers to execute arbitrary code via a crafted encrypted message, as demonstrated using the Version field.
version27

Redhat

advisories
  • bugzilla
    id435759
    titleCVE-2008-0072 Evolution format string flaw
    oval
    OR
    • commentRed Hat Enterprise Linux must be installed
      ovaloval:com.redhat.rhba:tst:20070304026
    • AND
      • commentRed Hat Enterprise Linux 4 is installed
        ovaloval:com.redhat.rhba:tst:20070304025
      • OR
        • AND
          • commentevolution is earlier than 0:2.0.2-35.0.4.el4_6.1
            ovaloval:com.redhat.rhsa:tst:20080177001
          • commentevolution is signed with Red Hat master key
            ovaloval:com.redhat.rhsa:tst:20070353004
        • AND
          • commentevolution-devel is earlier than 0:2.0.2-35.0.4.el4_6.1
            ovaloval:com.redhat.rhsa:tst:20080177003
          • commentevolution-devel is signed with Red Hat master key
            ovaloval:com.redhat.rhsa:tst:20070353002
        • AND
          • commentevolution28 is earlier than 0:2.8.0-53.el4_6.2
            ovaloval:com.redhat.rhsa:tst:20080177005
          • commentevolution28 is signed with Red Hat master key
            ovaloval:com.redhat.rhsa:tst:20080177006
        • AND
          • commentevolution28-devel is earlier than 0:2.8.0-53.el4_6.2
            ovaloval:com.redhat.rhsa:tst:20080177007
          • commentevolution28-devel is signed with Red Hat master key
            ovaloval:com.redhat.rhsa:tst:20080177008
    • AND
      • commentRed Hat Enterprise Linux 5 is installed
        ovaloval:com.redhat.rhba:tst:20070331005
      • OR
        • AND
          • commentevolution-devel is earlier than 0:2.8.0-40.el5_1.1
            ovaloval:com.redhat.rhsa:tst:20080177010
          • commentevolution-devel is signed with Red Hat redhatrelease key
            ovaloval:com.redhat.rhsa:tst:20070158004
        • AND
          • commentevolution is earlier than 0:2.8.0-40.el5_1.1
            ovaloval:com.redhat.rhsa:tst:20080177012
          • commentevolution is signed with Red Hat redhatrelease key
            ovaloval:com.redhat.rhsa:tst:20070158002
    rhsa
    idRHSA-2008:0177
    released2008-03-05
    severityCritical
    titleRHSA-2008:0177: evolution security update (Critical)
  • rhsa
    idRHSA-2008:0178
rpms
  • evolution-0:2.0.2-35.0.4.el4_6.1
  • evolution-0:2.8.0-40.el5_1.1
  • evolution-debuginfo-0:2.0.2-35.0.4.el4_6.1
  • evolution-debuginfo-0:2.8.0-40.el5_1.1
  • evolution-devel-0:2.0.2-35.0.4.el4_6.1
  • evolution-devel-0:2.8.0-40.el5_1.1
  • evolution28-0:2.8.0-53.el4_6.2
  • evolution28-debuginfo-0:2.8.0-53.el4_6.2
  • evolution28-devel-0:2.8.0-53.el4_6.2
  • evolution-0:2.0.2-35.0.4.el4_5.1
  • evolution-debuginfo-0:2.0.2-35.0.4.el4_5.1
  • evolution-devel-0:2.0.2-35.0.4.el4_5.1