Vulnerabilities > CVE-2008-1109 - Buffer Errors vulnerability in Gnome Evolution 2.22.1

CVSS 9.3 - CRITICAL

Attack vector

NETWORK

Attack complexity

MEDIUM

Privileges required

NONE

Confidentiality impact

COMPLETE

Integrity impact

COMPLETE

Availability impact

COMPLETE

network

gnome

CWE-119

critical

nessus

NVD

Published: 2008-06-04

Updated: 2017-09-29

Summary

Heap-based buffer overflow in Evolution 2.22.1 allows user-assisted remote attackers to execute arbitrary code via a long DESCRIPTION property in an iCalendar attachment, which is not properly handled during a reply in the calendar view (aka the Calendars window).

Vulnerable Configurations

Part	Description	Count
Application	Gnome Gnome Evolution 2.22.1	1

Common Weakness Enumeration (CWE)

CWE-119 - Improper Restriction of Operations within the Bounds of a Memory Buffer

Common Attack Pattern Enumeration and Classification (CAPEC)

Buffer Overflow via Environment Variables
This attack pattern involves causing a buffer overflow through manipulation of environment variables. Once the attacker finds that they can modify an environment variable, they may try to overflow associated buffers. This attack leverages implicit trust often placed in environment variables.
Overflow Buffers
Buffer Overflow attacks target improper or missing bounds checking on buffer operations, typically triggered by input injected by an attacker. As a consequence, an attacker is able to write past the boundaries of allocated buffer regions in memory, causing a program crash or potentially redirection of execution as per the attackers' choice.
Client-side Injection-induced Buffer Overflow
This type of attack exploits a buffer overflow vulnerability in targeted client software through injection of malicious content from a custom-built hostile service.
Filter Failure through Buffer Overflow
In this attack, the idea is to cause an active filter to fail by causing an oversized transaction. An attacker may try to feed overly long input strings to the program in an attempt to overwhelm the filter (by causing a buffer overflow) and hoping that the filter does not fail securely (i.e. the user input is let into the system unfiltered).
MIME Conversion
An attacker exploits a weakness in the MIME conversion routine to cause a buffer overflow and gain control over the mail server machine. The MIME system is designed to allow various different information formats to be interpreted and sent via e-mail. Attack points exist when data are converted to MIME compatible format and back.

Nessus

NASL family	Mandriva Local Security Checks
NASL id	MANDRIVA_MDVSA-2008-111.NASL
description	Alan Rad Pop of Secunia Research discovered the following two vulnerabilities in Evolution : Evolution did not properly validate timezone data when processing iCalendar attachments. If a user disabled the Itip Formatter plugin and viewed a crafted iCalendar attachment, an attacker could cause a denial of service or potentially execute arbitrary code with the user
last seen	2020-06-01
modified	2020-06-02
plugin id	37236
published	2009-04-23
reporter	This script is Copyright (C) 2009-2019 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/37236
title	Mandriva Linux Security Advisory : evolution (MDVSA-2008:111)

NASL family	CentOS Local Security Checks
NASL id	CENTOS_RHSA-2008-0515.NASL
description	Updated evolution28 packages that address two buffer overflow vulnerabilities are now available for Red Hat Enterprise Linux 4. This update has been rated as having important security impact by the Red Hat Security Response Team. Evolution is the integrated collection of e-mail, calendaring, contact management, communications and personal information management (PIM) tools for the GNOME desktop environment. A flaw was found in the way Evolution parsed iCalendar timezone attachment data. If the Itip Formatter plug-in was disabled and a user opened a mail with a carefully crafted iCalendar attachment, arbitrary code could be executed as the user running Evolution. (CVE-2008-1108) Note: the Itip Formatter plug-in, which allows calendar information (attachments with a MIME type of
last seen	2020-06-01
modified	2020-06-02
plugin id	33110
published	2008-06-09
reporter	This script is Copyright (C) 2008-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/33110
title	CentOS 4 : evolution28 (CESA-2008:0515)

NASL family	Fedora Local Security Checks
NASL id	FEDORA_2008-5016.NASL
description	Fix two buffer overflows in iCalendar .ics file fromat support discovered and reported by Alin Rad Pop of the Secunia Research: CVE-2008-1108, CVE-2008-1109, SA30298 See referenced bugzilla bugs or Secunia advisories for further details: http://secunia.com/advisories/30298 http://secunia.com/secunia_research/2008-22/advisory/ http://secunia.com/secunia_research/2008-23/advisory/ Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
last seen	2020-06-01
modified	2020-06-02
plugin id	33115
published	2008-06-09
reporter	This script is Copyright (C) 2008-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/33115
title	Fedora 8 : evolution-2.12.3-5.fc8 (2008-5016)

NASL family	Fedora Local Security Checks
NASL id	FEDORA_2008-4990.NASL
description	Fix two buffer overflows in iCalendar .ics file fromat support discovered and reported by Alin Rad Pop of the Secunia Research: CVE-2008-1108, CVE-2008-1109, SA30298 See referenced bugzilla bugs or Secunia advisories for further details: http://secunia.com/advisories/30298 http://secunia.com/secunia_research/2008-22/advisory/ http://secunia.com/secunia_research/2008-23/advisory/ Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
last seen	2020-06-01
modified	2020-06-02
plugin id	33113
published	2008-06-09
reporter	This script is Copyright (C) 2008-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/33113
title	Fedora 9 : evolution-2.22.2-2.fc9 (2008-4990)

NASL family	Gentoo Local Security Checks
NASL id	GENTOO_GLSA-200806-06.NASL
description	The remote host is affected by the vulnerability described in GLSA-200806-06 (Evolution: User-assisted execution of arbitrary code) Alin Rad Pop (Secunia Research) reported two vulnerabilities in Evolution: A boundary error exists when parsing overly long timezone strings contained within iCalendar attachments and when the ITip formatter is disabled (CVE-2008-1108). A boundary error exists when replying to an iCalendar request with an overly long
last seen	2020-06-01
modified	2020-06-02
plugin id	33203
published	2008-06-18
reporter	This script is Copyright (C) 2008-2019 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/33203
title	GLSA-200806-06 : Evolution: User-assisted execution of arbitrary code

NASL family	Ubuntu Local Security Checks
NASL id	UBUNTU_USN-615-1.NASL
description	Alin Rad Pop of Secunia Research discovered that Evolution did not properly validate timezone data when processing iCalendar attachments. If a user disabled the ITip Formatter plugin and viewed a crafted iCalendar attachment, an attacker could cause a denial of service or possibly execute code with user privileges. Note that the ITip Formatter plugin is enabled by default in Ubuntu. (CVE-2008-1108) Alin Rad Pop of Secunia Research discovered that Evolution did not properly validate the DESCRIPTION field when processing iCalendar attachments. If a user were tricked into accepting a crafted iCalendar attachment and replied to it from the calendar window, an attacker code cause a denial of service or execute code with user privileges. (CVE-2008-1109) Matej Cepl discovered that Evolution did not properly validate date fields when processing iCalendar attachments. If a user disabled the ITip Formatter plugin and viewed a crafted iCalendar attachment, an attacker could cause a denial of service. Note that the ITip Formatter plugin is enabled by default in Ubuntu. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
last seen	2020-06-01
modified	2020-06-02
plugin id	33124
published	2008-06-09
reporter	Ubuntu Security Notice (C) 2008-2019 Canonical, Inc. / NASL script (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/33124
title	Ubuntu 6.06 LTS / 7.04 / 7.10 / 8.04 LTS : evolution vulnerabilities (USN-615-1)

NASL family	Scientific Linux Local Security Checks
NASL id	SL_20080604_EVOLUTION28_ON_SL4_6.NASL
description	A flaw was found in the way Evolution parsed iCalendar timezone attachment data. If the Itip Formatter plug-in was disabled and a user opened a mail with a carefully crafted iCalendar attachment, arbitrary code could be executed as the user running Evolution. (CVE-2008-1108) Note: the Itip Formatter plug-in, which allows calendar information (attachments with a MIME type of
last seen	2020-06-01
modified	2020-06-02
plugin id	60416
published	2012-08-01
reporter	This script is Copyright (C) 2012-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/60416
title	Scientific Linux Security Update : evolution28 on SL4.6 i386/x86_64

NASL family	Red Hat Local Security Checks
NASL id	REDHAT-RHSA-2008-0515.NASL
description	Updated evolution28 packages that address two buffer overflow vulnerabilities are now available for Red Hat Enterprise Linux 4. This update has been rated as having important security impact by the Red Hat Security Response Team. Evolution is the integrated collection of e-mail, calendaring, contact management, communications and personal information management (PIM) tools for the GNOME desktop environment. A flaw was found in the way Evolution parsed iCalendar timezone attachment data. If the Itip Formatter plug-in was disabled and a user opened a mail with a carefully crafted iCalendar attachment, arbitrary code could be executed as the user running Evolution. (CVE-2008-1108) Note: the Itip Formatter plug-in, which allows calendar information (attachments with a MIME type of
last seen	2020-06-01
modified	2020-06-02
plugin id	33097
published	2008-06-05
reporter	This script is Copyright (C) 2008-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/33097
title	RHEL 4 : evolution28 (RHSA-2008:0515)

NASL family	SuSE Local Security Checks
NASL id	SUSE_EVOLUTION-5326.NASL
description	Multiple buffer overflows have been fixed in evolution. CVE-2008-1108 and CVE-2008-1109 have been assigned to this issue.
last seen	2020-06-01
modified	2020-06-02
plugin id	33193
published	2008-06-16
reporter	This script is Copyright (C) 2008-2019 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/33193
title	openSUSE 10 Security Update : evolution (evolution-5326)

NASL family	Fedora Local Security Checks
NASL id	FEDORA_2008-5018.NASL
description	Fix two buffer overflows in iCalendar .ics file fromat support discovered and reported by Alin Rad Pop of the Secunia Research: CVE-2008-1108, CVE-2008-1109, SA30298 See referenced bugzilla bugs or Secunia advisories for further details: http://secunia.com/advisories/30298 http://secunia.com/secunia_research/2008-22/advisory/ http://secunia.com/secunia_research/2008-23/advisory/ Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
last seen	2020-06-01
modified	2020-06-02
plugin id	33116
published	2008-06-09
reporter	This script is Copyright (C) 2008-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/33116
title	Fedora 7 : evolution-2.10.3-10.fc7 (2008-5018)

NASL family	CentOS Local Security Checks
NASL id	CENTOS_RHSA-2008-0514.NASL
description	Updated evolution packages that fix two buffer overflow vulnerabilities are now available for Red Hat Enterprise Linux 5. This update has been rated as having important security impact by the Red Hat Security Response Team. Evolution is the integrated collection of e-mail, calendaring, contact management, communications and personal information management (PIM) tools for the GNOME desktop environment. A flaw was found in the way Evolution parsed iCalendar timezone attachment data. If the Itip Formatter plug-in was disabled and a user opened a mail with a carefully crafted iCalendar attachment, arbitrary code could be executed as the user running Evolution. (CVE-2008-1108) Note: the Itip Formatter plug-in, which allows calendar information (attachments with a MIME type of
last seen	2020-06-01
modified	2020-06-02
plugin id	43691
published	2010-01-06
reporter	This script is Copyright (C) 2010-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/43691
title	CentOS 5 : evolution (CESA-2008:0514)

NASL family	SuSE Local Security Checks
NASL id	SUSE_EVOLUTION-5327.NASL
description	Multiple buffer overflows have been fixed in evolution. CVE-2008-1108 / CVE-2008-1109 have been assigned to this issue.
last seen	2020-06-01
modified	2020-06-02
plugin id	33194
published	2008-06-16
reporter	This script is Copyright (C) 2008-2019 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/33194
title	SuSE 10 Security Update : evolution (ZYPP Patch Number 5327)

NASL family	Red Hat Local Security Checks
NASL id	REDHAT-RHSA-2008-0514.NASL
description	Updated evolution packages that fix two buffer overflow vulnerabilities are now available for Red Hat Enterprise Linux 5. This update has been rated as having important security impact by the Red Hat Security Response Team. Evolution is the integrated collection of e-mail, calendaring, contact management, communications and personal information management (PIM) tools for the GNOME desktop environment. A flaw was found in the way Evolution parsed iCalendar timezone attachment data. If the Itip Formatter plug-in was disabled and a user opened a mail with a carefully crafted iCalendar attachment, arbitrary code could be executed as the user running Evolution. (CVE-2008-1108) Note: the Itip Formatter plug-in, which allows calendar information (attachments with a MIME type of
last seen	2020-06-01
modified	2020-06-02
plugin id	33086
published	2008-06-04
reporter	This script is Copyright (C) 2008-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/33086
title	RHEL 5 : evolution (RHSA-2008:0514)

NASL family	Oracle Linux Local Security Checks
NASL id	ORACLELINUX_ELSA-2008-0515.NASL
description	From Red Hat Security Advisory 2008:0515 : Updated evolution28 packages that address two buffer overflow vulnerabilities are now available for Red Hat Enterprise Linux 4. This update has been rated as having important security impact by the Red Hat Security Response Team. Evolution is the integrated collection of e-mail, calendaring, contact management, communications and personal information management (PIM) tools for the GNOME desktop environment. A flaw was found in the way Evolution parsed iCalendar timezone attachment data. If the Itip Formatter plug-in was disabled and a user opened a mail with a carefully crafted iCalendar attachment, arbitrary code could be executed as the user running Evolution. (CVE-2008-1108) Note: the Itip Formatter plug-in, which allows calendar information (attachments with a MIME type of
last seen	2020-06-01
modified	2020-06-02
plugin id	67704
published	2013-07-12
reporter	This script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/67704
title	Oracle Linux 4 : evolution28 (ELSA-2008-0515)

NASL family	Scientific Linux Local Security Checks
NASL id	SL_20080604_EVOLUTION_ON_SL5_X.NASL
description	A flaw was found in the way Evolution parsed iCalendar timezone attachment data. If the Itip Formatter plug-in was disabled and a user opened a mail with a carefully crafted iCalendar attachment, arbitrary code could be executed as the user running Evolution. (CVE-2008-1108) Note: the Itip Formatter plug-in, which allows calendar information (attachments with a MIME type of
last seen	2020-06-01
modified	2020-06-02
plugin id	60418
published	2012-08-01
reporter	This script is Copyright (C) 2012-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/60418
title	Scientific Linux Security Update : evolution on SL5.x i386/x86_64

Oval

accepted

2013-04-29T04:04:47.414-04:00

class

vulnerability

contributors

name Aharon Chernin
organization SCAP.com, LLC
name Dragos Prisaca
organization G2, Inc.

definition_extensions

comment The operating system installed on the system is Red Hat Enterprise Linux 4
oval oval:org.mitre.oval:def:11831
comment CentOS Linux 4.x
oval oval:org.mitre.oval:def:16636
comment Oracle Linux 4.x
oval oval:org.mitre.oval:def:15990
comment The operating system installed on the system is Red Hat Enterprise Linux 5
oval oval:org.mitre.oval:def:11414
comment The operating system installed on the system is CentOS Linux 5.x
oval oval:org.mitre.oval:def:15802
comment Oracle Linux 5.x
oval oval:org.mitre.oval:def:15459

description

family

unix

oval:org.mitre.oval:def:10337

status

accepted

submitted

2010-07-09T03:56:16-04:00

title

version

Redhat

advisories

bugzilla

id	448541
title	CVE-2008-1109 evolution: iCalendar buffer overflow via large description parameter

oval

comment Red Hat Enterprise Linux must be installed
oval oval:com.redhat.rhba:tst:20070304026

AND

comment Red Hat Enterprise Linux 5 is installed
oval oval:com.redhat.rhba:tst:20070331005

AND

comment evolution-help is earlier than 0:2.12.3-8.el5_2.2
oval oval:com.redhat.rhsa:tst:20080514001
comment evolution-help is signed with Red Hat redhatrelease key
oval oval:com.redhat.rhsa:tst:20080514002

AND
comment evolution is earlier than 0:2.12.3-8.el5_2.2
oval oval:com.redhat.rhsa:tst:20080514003
comment evolution is signed with Red Hat redhatrelease key
oval oval:com.redhat.rhsa:tst:20070158002

AND

comment evolution-devel is earlier than 0:2.12.3-8.el5_2.2
oval oval:com.redhat.rhsa:tst:20080514005
comment evolution-devel is signed with Red Hat redhatrelease key
oval oval:com.redhat.rhsa:tst:20070158004

rhsa

id	RHSA-2008:0514
released	2008-06-04
severity	Important
title	RHSA-2008:0514: evolution security update (Important)

bugzilla

id	448541
title	CVE-2008-1109 evolution: iCalendar buffer overflow via large description parameter

oval

comment Red Hat Enterprise Linux must be installed
oval oval:com.redhat.rhba:tst:20070304026

AND

comment Red Hat Enterprise Linux 4 is installed
oval oval:com.redhat.rhba:tst:20070304025

AND
comment evolution28 is earlier than 0:2.8.0-53.el4_6.3
oval oval:com.redhat.rhsa:tst:20080515001
comment evolution28 is signed with Red Hat master key
oval oval:com.redhat.rhsa:tst:20080177006
AND
comment evolution28-devel is earlier than 0:2.8.0-53.el4_6.3
oval oval:com.redhat.rhsa:tst:20080515003
comment evolution28-devel is signed with Red Hat master key
oval oval:com.redhat.rhsa:tst:20080177008

rhsa

id	RHSA-2008:0515
released	2008-06-04
severity	Important
title	RHSA-2008:0515: evolution28 security update (Important)

rpms

evolution-0:2.12.3-8.el5_2.2
evolution-debuginfo-0:2.12.3-8.el5_2.2
evolution-devel-0:2.12.3-8.el5_2.2
evolution-help-0:2.12.3-8.el5_2.2
evolution28-0:2.8.0-53.el4_6.3
evolution28-debuginfo-0:2.8.0-53.el4_6.3
evolution28-devel-0:2.8.0-53.el4_6.3

Summary

Vulnerable Configurations

Common Weakness Enumeration (CWE)

Common Attack Pattern Enumeration and Classification (CAPEC)

Nessus

Oval

Redhat

References