Vulnerabilities > CVE-2009-0587 - Numeric Errors vulnerability in Go-Evolution Evolution-Data-Server

CVSS 0.0 - NONE

Attack vector

UNKNOWN

Attack complexity

UNKNOWN

Privileges required

UNKNOWN

Confidentiality impact

UNKNOWN

Integrity impact

UNKNOWN

Availability impact

UNKNOWN

go-evolution

CWE-189

nessus

NVD

Published: 2009-03-14

Updated: 2023-02-13

Summary

Multiple integer overflows in Evolution Data Server (aka evolution-data-server) before 2.24.5 allow context-dependent attackers to execute arbitrary code via a long string that is converted to a base64 representation in (1) addressbook/libebook/e-vcard.c in evc or (2) camel/camel-mime-utils.c in libcamel.

Vulnerable Configurations

Part	Description	Count
Application	Go-Evolution GO Evolution Evolution Data Server *	1

Common Weakness Enumeration (CWE)

CWE-189 - Numeric Errors

Nessus

NASL family	SuSE Local Security Checks
NASL id	SUSE_11_EVOLUTION-DATA-SERVER-100208.NASL
description	This update fixes the following vulnerability : evolution considered S/MIME signatures to be valid even for modified mails. (CVE-2009-0547: CVSS v2 Base Score: 5.0) Additionally the following bug has been fixed : - A POP3 server sending overly long lines could crash evolution.
last seen	2020-06-01
modified	2020-06-02
plugin id	45036
published	2010-03-11
reporter	This script is Copyright (C) 2010-2019 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/45036
title	SuSE 11 Security Update : evolution-data-server (SAT Patch Number 1944)

NASL family	CentOS Local Security Checks
NASL id	CENTOS_RHSA-2009-0358.NASL
description	Updated evolution packages that fixes multiple security issues are now available for Red Hat Enterprise Linux 3. This update has been rated as having moderate security impact by the Red Hat Security Response Team. Evolution is the integrated collection of e-mail, calendaring, contact management, communications, and personal information management (PIM) tools for the GNOME desktop environment. It was discovered that evolution did not properly validate NTLM (NT LAN Manager) authentication challenge packets. A malicious server using NTLM authentication could cause evolution to disclose portions of its memory or crash during user authentication. (CVE-2009-0582) An integer overflow flaw which could cause heap-based buffer overflow was found in the Base64 encoding routine used by evolution. This could cause evolution to crash, or, possibly, execute an arbitrary code when large untrusted data blocks were Base64-encoded. (CVE-2009-0587) All users of evolution are advised to upgrade to these updated packages, which contain backported patches to correct these issues. All running instances of evolution must be restarted for the update to take effect.
last seen	2020-06-01
modified	2020-06-02
plugin id	35931
published	2009-03-17
reporter	This script is Copyright (C) 2009-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/35931
title	CentOS 3 : evolution (CESA-2009:0358)

NASL family	Ubuntu Local Security Checks
NASL id	UBUNTU_USN-733-1.NASL
description	It was discovered that the Base64 encoding functions in evolution-data-server did not properly handle large strings. If a user were tricked into opening a specially crafted image file, or tricked into connecting to a malicious server, an attacker could possibly execute arbitrary code with user privileges. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
last seen	2020-06-01
modified	2020-06-02
plugin id	36746
published	2009-04-23
reporter	Ubuntu Security Notice (C) 2009-2019 Canonical, Inc. / NASL script (C) 2009-2018 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/36746
title	Ubuntu 6.06 LTS / 7.10 : evolution-data-server vulnerability (USN-733-1)

NASL family	Red Hat Local Security Checks
NASL id	REDHAT-RHSA-2009-0358.NASL
description	Updated evolution packages that fixes multiple security issues are now available for Red Hat Enterprise Linux 3. This update has been rated as having moderate security impact by the Red Hat Security Response Team. Evolution is the integrated collection of e-mail, calendaring, contact management, communications, and personal information management (PIM) tools for the GNOME desktop environment. It was discovered that evolution did not properly validate NTLM (NT LAN Manager) authentication challenge packets. A malicious server using NTLM authentication could cause evolution to disclose portions of its memory or crash during user authentication. (CVE-2009-0582) An integer overflow flaw which could cause heap-based buffer overflow was found in the Base64 encoding routine used by evolution. This could cause evolution to crash, or, possibly, execute an arbitrary code when large untrusted data blocks were Base64-encoded. (CVE-2009-0587) All users of evolution are advised to upgrade to these updated packages, which contain backported patches to correct these issues. All running instances of evolution must be restarted for the update to take effect.
last seen	2020-06-01
modified	2020-06-02
plugin id	35947
published	2009-03-17
reporter	This script is Copyright (C) 2009-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/35947
title	RHEL 3 : evolution (RHSA-2009:0358)

NASL family	Debian Local Security Checks
NASL id	DEBIAN_DSA-1813.NASL
description	Several vulnerabilities have been found in evolution-data-server, the database backend server for the evolution groupware suite. The Common Vulnerabilities and Exposures project identifies the following problems : - CVE-2009-0587 It was discovered that evolution-data-server is prone to integer overflows triggered by large base64 strings. - CVE-2009-0547 Joachim Breitner discovered that S/MIME signatures are not verified properly, which can lead to spoofing attacks. - CVE-2009-0582 It was discovered that NTLM authentication challenge packets are not validated properly when using the NTLM authentication method, which could lead to an information disclosure or a denial of service.
last seen	2020-06-01
modified	2020-06-02
plugin id	39334
published	2009-06-09
reporter	This script is Copyright (C) 2009-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/39334
title	Debian DSA-1813-1 : evolution-data-server - Several vulnerabilities

NASL family	Oracle Linux Local Security Checks
NASL id	ORACLELINUX_ELSA-2009-0355.NASL
description	From Red Hat Security Advisory 2009:0355 : Updated evolution and evolution-data-server packages that fixes multiple security issues are now available for Red Hat Enterprise Linux 4. This update has been rated as having moderate security impact by the Red Hat Security Response Team. Evolution is the integrated collection of e-mail, calendaring, contact management, communications, and personal information management (PIM) tools for the GNOME desktop environment. Evolution Data Server provides a unified back-end for applications which interact with contacts, task and calendar information. Evolution Data Server was originally developed as a back-end for Evolution, but is now used by multiple other applications. Evolution did not properly check the Secure/Multipurpose Internet Mail Extensions (S/MIME) signatures used for public key encryption and signing of e-mail messages. An attacker could use this flaw to spoof a signature by modifying the text of the e-mail message displayed to the user. (CVE-2009-0547) It was discovered that evolution did not properly validate NTLM (NT LAN Manager) authentication challenge packets. A malicious server using NTLM authentication could cause evolution to disclose portions of its memory or crash during user authentication. (CVE-2009-0582) Multiple integer overflow flaws which could cause heap-based buffer overflows were found in the Base64 encoding routines used by evolution and evolution-data-server. This could cause evolution, or an application using evolution-data-server, to crash, or, possibly, execute an arbitrary code when large untrusted data blocks were Base64-encoded. (CVE-2009-0587) All users of evolution and evolution-data-server are advised to upgrade to these updated packages, which contain backported patches to correct these issues. All running instances of evolution and evolution-data-server must be restarted for the update to take effect.
last seen	2020-06-01
modified	2020-06-02
plugin id	67826
published	2013-07-12
reporter	This script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/67826
title	Oracle Linux 4 : evolution / evolution-data-server (ELSA-2009-0355)

NASL family	Oracle Linux Local Security Checks
NASL id	ORACLELINUX_ELSA-2009-0354.NASL
description	From Red Hat Security Advisory 2009:0354 : Updated evolution-data-server and evolution28-evolution-data-server packages that fix multiple security issues are now available for Red Hat Enterprise Linux 4 and 5. This update has been rated as having moderate security impact by the Red Hat Security Response Team. Evolution Data Server provides a unified back-end for applications which interact with contacts, task, and calendar information. Evolution Data Server was originally developed as a back-end for Evolution, but is now used by multiple other applications. Evolution Data Server did not properly check the Secure/Multipurpose Internet Mail Extensions (S/MIME) signatures used for public key encryption and signing of e-mail messages. An attacker could use this flaw to spoof a signature by modifying the text of the e-mail message displayed to the user. (CVE-2009-0547) It was discovered that Evolution Data Server did not properly validate NTLM (NT LAN Manager) authentication challenge packets. A malicious server using NTLM authentication could cause an application using Evolution Data Server to disclose portions of its memory or crash during user authentication. (CVE-2009-0582) Multiple integer overflow flaws which could cause heap-based buffer overflows were found in the Base64 encoding routines used by Evolution Data Server. This could cause an application using Evolution Data Server to crash, or, possibly, execute an arbitrary code when large untrusted data blocks were Base64-encoded. (CVE-2009-0587) All users of evolution-data-server and evolution28-evolution-data-server are advised to upgrade to these updated packages, which contain backported patches to correct these issues. All running instances of Evolution Data Server and applications using it (such as Evolution) must be restarted for the update to take effect.
last seen	2020-06-01
modified	2020-06-02
plugin id	67825
published	2013-07-12
reporter	This script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/67825
title	Oracle Linux 4 / 5 : evolution-data-server (ELSA-2009-0354)

NASL family	Mandriva Local Security Checks
NASL id	MANDRIVA_MDVSA-2009-078.NASL
description	A wrong handling of signed Secure/Multipurpose Internet Mail Extensions (S/MIME) e-mail messages enables attackers to spoof its signatures by modifying the latter copy (CVE-2009-0547). Crafted authentication challange packets (NT Lan Manager type 2) sent by a malicious remote mail server enables remote attackers either to cause denial of service and to read information from the process memory of the client (CVE-2009-0582). Multiple integer overflows in Base64 encoding functions enables attackers either to cause denial of service and to execute arbitrary code (CVE-2009-0587). This update provides fixes for those vulnerabilities. Update : evolution-data-server packages from Mandriva Linux distributions 2008.1 and 2009.0 are not affected by CVE-2009-0587.
last seen	2020-06-01
modified	2020-06-02
plugin id	37259
published	2009-04-23
reporter	This script is Copyright (C) 2009-2019 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/37259
title	Mandriva Linux Security Advisory : evolution-data-server (MDVSA-2009:078)

NASL family	Red Hat Local Security Checks
NASL id	REDHAT-RHSA-2009-0354.NASL
description	Updated evolution-data-server and evolution28-evolution-data-server packages that fix multiple security issues are now available for Red Hat Enterprise Linux 4 and 5. This update has been rated as having moderate security impact by the Red Hat Security Response Team. Evolution Data Server provides a unified back-end for applications which interact with contacts, task, and calendar information. Evolution Data Server was originally developed as a back-end for Evolution, but is now used by multiple other applications. Evolution Data Server did not properly check the Secure/Multipurpose Internet Mail Extensions (S/MIME) signatures used for public key encryption and signing of e-mail messages. An attacker could use this flaw to spoof a signature by modifying the text of the e-mail message displayed to the user. (CVE-2009-0547) It was discovered that Evolution Data Server did not properly validate NTLM (NT LAN Manager) authentication challenge packets. A malicious server using NTLM authentication could cause an application using Evolution Data Server to disclose portions of its memory or crash during user authentication. (CVE-2009-0582) Multiple integer overflow flaws which could cause heap-based buffer overflows were found in the Base64 encoding routines used by Evolution Data Server. This could cause an application using Evolution Data Server to crash, or, possibly, execute an arbitrary code when large untrusted data blocks were Base64-encoded. (CVE-2009-0587) All users of evolution-data-server and evolution28-evolution-data-server are advised to upgrade to these updated packages, which contain backported patches to correct these issues. All running instances of Evolution Data Server and applications using it (such as Evolution) must be restarted for the update to take effect.
last seen	2020-06-01
modified	2020-06-02
plugin id	35945
published	2009-03-17
reporter	This script is Copyright (C) 2009-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/35945
title	RHEL 4 / 5 : evolution-data-server (RHSA-2009:0354)

NASL family	Red Hat Local Security Checks
NASL id	REDHAT-RHSA-2009-0355.NASL
description	Updated evolution and evolution-data-server packages that fixes multiple security issues are now available for Red Hat Enterprise Linux 4. This update has been rated as having moderate security impact by the Red Hat Security Response Team. Evolution is the integrated collection of e-mail, calendaring, contact management, communications, and personal information management (PIM) tools for the GNOME desktop environment. Evolution Data Server provides a unified back-end for applications which interact with contacts, task and calendar information. Evolution Data Server was originally developed as a back-end for Evolution, but is now used by multiple other applications. Evolution did not properly check the Secure/Multipurpose Internet Mail Extensions (S/MIME) signatures used for public key encryption and signing of e-mail messages. An attacker could use this flaw to spoof a signature by modifying the text of the e-mail message displayed to the user. (CVE-2009-0547) It was discovered that evolution did not properly validate NTLM (NT LAN Manager) authentication challenge packets. A malicious server using NTLM authentication could cause evolution to disclose portions of its memory or crash during user authentication. (CVE-2009-0582) Multiple integer overflow flaws which could cause heap-based buffer overflows were found in the Base64 encoding routines used by evolution and evolution-data-server. This could cause evolution, or an application using evolution-data-server, to crash, or, possibly, execute an arbitrary code when large untrusted data blocks were Base64-encoded. (CVE-2009-0587) All users of evolution and evolution-data-server are advised to upgrade to these updated packages, which contain backported patches to correct these issues. All running instances of evolution and evolution-data-server must be restarted for the update to take effect.
last seen	2020-06-01
modified	2020-06-02
plugin id	35946
published	2009-03-17
reporter	This script is Copyright (C) 2009-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/35946
title	RHEL 4 : evolution and evolution-data-server (RHSA-2009:0355)

NASL family	Scientific Linux Local Security Checks
NASL id	SL_20090316_EVOLUTION_AND_EVOLUTION_DATA_SERVER_ON_SL4_X.NASL
description	Evolution Data Server provides a unified back-end for applications which interact with contacts, task and calendar information. Evolution Data Server was originally developed as a back-end for Evolution, but is now used by multiple other applications. Evolution did not properly check the Secure/Multipurpose Internet Mail Extensions (S/MIME) signatures used for public key encryption and signing of e-mail messages. An attacker could use this flaw to spoof a signature by modifying the text of the e-mail message displayed to the user. (CVE-2009-0547) It was discovered that evolution did not properly validate NTLM (NT LAN Manager) authentication challenge packets. A malicious server using NTLM authentication could cause evolution to disclose portions of its memory or crash during user authentication. (CVE-2009-0582) Multiple integer overflow flaws which could cause heap-based buffer overflows were found in the Base64 encoding routines used by evolution and evolution-data-server. This could cause evolution, or an application using evolution-data-server, to crash, or, possibly, execute an arbitrary code when large untrusted data blocks were Base64-encoded. (CVE-2009-0587) All running instances of evolution and evolution-data-server must be restarted for the update to take effect.
last seen	2020-06-01
modified	2020-06-02
plugin id	60544
published	2012-08-01
reporter	This script is Copyright (C) 2012-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/60544
title	Scientific Linux Security Update : evolution and evolution-data-server on SL4.x i386/x86_64

NASL family	CentOS Local Security Checks
NASL id	CENTOS_RHSA-2009-0354.NASL
description	Updated evolution-data-server and evolution28-evolution-data-server packages that fix multiple security issues are now available for Red Hat Enterprise Linux 4 and 5. This update has been rated as having moderate security impact by the Red Hat Security Response Team. Evolution Data Server provides a unified back-end for applications which interact with contacts, task, and calendar information. Evolution Data Server was originally developed as a back-end for Evolution, but is now used by multiple other applications. Evolution Data Server did not properly check the Secure/Multipurpose Internet Mail Extensions (S/MIME) signatures used for public key encryption and signing of e-mail messages. An attacker could use this flaw to spoof a signature by modifying the text of the e-mail message displayed to the user. (CVE-2009-0547) It was discovered that Evolution Data Server did not properly validate NTLM (NT LAN Manager) authentication challenge packets. A malicious server using NTLM authentication could cause an application using Evolution Data Server to disclose portions of its memory or crash during user authentication. (CVE-2009-0582) Multiple integer overflow flaws which could cause heap-based buffer overflows were found in the Base64 encoding routines used by Evolution Data Server. This could cause an application using Evolution Data Server to crash, or, possibly, execute an arbitrary code when large untrusted data blocks were Base64-encoded. (CVE-2009-0587) All users of evolution-data-server and evolution28-evolution-data-server are advised to upgrade to these updated packages, which contain backported patches to correct these issues. All running instances of Evolution Data Server and applications using it (such as Evolution) must be restarted for the update to take effect.
last seen	2020-06-01
modified	2020-06-02
plugin id	38893
published	2009-05-26
reporter	This script is Copyright (C) 2009-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/38893
title	CentOS 4 : evolution-data-server (CESA-2009:0354)

NASL family	CentOS Local Security Checks
NASL id	CENTOS_RHSA-2009-0355.NASL
description	Updated evolution and evolution-data-server packages that fixes multiple security issues are now available for Red Hat Enterprise Linux 4. This update has been rated as having moderate security impact by the Red Hat Security Response Team. Evolution is the integrated collection of e-mail, calendaring, contact management, communications, and personal information management (PIM) tools for the GNOME desktop environment. Evolution Data Server provides a unified back-end for applications which interact with contacts, task and calendar information. Evolution Data Server was originally developed as a back-end for Evolution, but is now used by multiple other applications. Evolution did not properly check the Secure/Multipurpose Internet Mail Extensions (S/MIME) signatures used for public key encryption and signing of e-mail messages. An attacker could use this flaw to spoof a signature by modifying the text of the e-mail message displayed to the user. (CVE-2009-0547) It was discovered that evolution did not properly validate NTLM (NT LAN Manager) authentication challenge packets. A malicious server using NTLM authentication could cause evolution to disclose portions of its memory or crash during user authentication. (CVE-2009-0582) Multiple integer overflow flaws which could cause heap-based buffer overflows were found in the Base64 encoding routines used by evolution and evolution-data-server. This could cause evolution, or an application using evolution-data-server, to crash, or, possibly, execute an arbitrary code when large untrusted data blocks were Base64-encoded. (CVE-2009-0587) All users of evolution and evolution-data-server are advised to upgrade to these updated packages, which contain backported patches to correct these issues. All running instances of evolution and evolution-data-server must be restarted for the update to take effect.
last seen	2020-06-01
modified	2020-06-02
plugin id	38894
published	2009-05-26
reporter	This script is Copyright (C) 2009-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/38894
title	CentOS 4 : evolution / evolution-data-server (CESA-2009:0355)

NASL family	Scientific Linux Local Security Checks
NASL id	SL_20090316_EVOLUTION_ON_SL3_X.NASL
description	It was discovered that evolution did not properly validate NTLM (NT LAN Manager) authentication challenge packets. A malicious server using NTLM authentication could cause evolution to disclose portions of its memory or crash during user authentication. (CVE-2009-0582) An integer overflow flaw which could cause heap-based buffer overflow was found in the Base64 encoding routine used by evolution. This could cause evolution to crash, or, possibly, execute an arbitrary code when large untrusted data blocks were Base64-encoded. (CVE-2009-0587) All running instances of evolution must be restarted for the update to take effect.
last seen	2020-06-01
modified	2020-06-02
plugin id	60546
published	2012-08-01
reporter	This script is Copyright (C) 2012-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/60546
title	Scientific Linux Security Update : evolution on SL3.x i386/x86_64

NASL family	SuSE Local Security Checks
NASL id	SUSE_EVOLUTION-DATA-SERVER-7029.NASL
description	The following bugs have been fixed : evolution considered S/MIME signatures to be valid even for modified mails (CVE-2009-0547). specially crafted base64 encoded messages could cause a heap buffer overflow (CVE-2009-0587). A POP3 server sending overly long lines could crash evolution.
last seen	2020-06-01
modified	2020-06-02
plugin id	49847
published	2010-10-11
reporter	This script is Copyright (C) 2010-2019 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/49847
title	SuSE 10 Security Update : evolution-data-server (ZYPP Patch Number 7029)

NASL family	Scientific Linux Local Security Checks
NASL id	SL_20090316_EVOLUTION_DATA_SERVER_ON_SL5_X.NASL
description	Evolution Data Server did not properly check the Secure/Multipurpose Internet Mail Extensions (S/MIME) signatures used for public key encryption and signing of e-mail messages. An attacker could use this flaw to spoof a signature by modifying the text of the e-mail message displayed to the user. (CVE-2009-0547) It was discovered that Evolution Data Server did not properly validate NTLM (NT LAN Manager) authentication challenge packets. A malicious server using NTLM authentication could cause an application using Evolution Data Server to disclose portions of its memory or crash during user authentication. (CVE-2009-0582) Multiple integer overflow flaws which could cause heap-based buffer overflows were found in the Base64 encoding routines used by Evolution Data Server. This could cause an application using Evolution Data Server to crash, or, possibly, execute an arbitrary code when large untrusted data blocks were Base64-encoded. (CVE-2009-0587) All running instances of Evolution Data Server and applications using it (such as Evolution) must be restarted for the update to take effect.
last seen	2020-06-01
modified	2020-06-02
plugin id	60545
published	2012-08-01
reporter	This script is Copyright (C) 2012-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/60545
title	Scientific Linux Security Update : evolution-data-server on SL5.x i386/x86_64

NASL family	Oracle Linux Local Security Checks
NASL id	ORACLELINUX_ELSA-2009-0358.NASL
description	From Red Hat Security Advisory 2009:0358 : Updated evolution packages that fixes multiple security issues are now available for Red Hat Enterprise Linux 3. This update has been rated as having moderate security impact by the Red Hat Security Response Team. Evolution is the integrated collection of e-mail, calendaring, contact management, communications, and personal information management (PIM) tools for the GNOME desktop environment. It was discovered that evolution did not properly validate NTLM (NT LAN Manager) authentication challenge packets. A malicious server using NTLM authentication could cause evolution to disclose portions of its memory or crash during user authentication. (CVE-2009-0582) An integer overflow flaw which could cause heap-based buffer overflow was found in the Base64 encoding routine used by evolution. This could cause evolution to crash, or, possibly, execute an arbitrary code when large untrusted data blocks were Base64-encoded. (CVE-2009-0587) All users of evolution are advised to upgrade to these updated packages, which contain backported patches to correct these issues. All running instances of evolution must be restarted for the update to take effect.
last seen	2020-06-01
modified	2020-06-02
plugin id	67827
published	2013-07-12
reporter	This script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/67827
title	Oracle Linux 3 : evolution (ELSA-2009-0358)

Oval

accepted

2013-04-29T04:13:42.259-04:00

class

vulnerability

contributors

name Aharon Chernin
organization SCAP.com, LLC
name Dragos Prisaca
organization G2, Inc.

definition_extensions

comment The operating system installed on the system is Red Hat Enterprise Linux 3
oval oval:org.mitre.oval:def:11782
comment CentOS Linux 3.x
oval oval:org.mitre.oval:def:16651
comment The operating system installed on the system is Red Hat Enterprise Linux 4
oval oval:org.mitre.oval:def:11831
comment CentOS Linux 4.x
oval oval:org.mitre.oval:def:16636
comment Oracle Linux 4.x
oval oval:org.mitre.oval:def:15990
comment The operating system installed on the system is Red Hat Enterprise Linux 5
oval oval:org.mitre.oval:def:11414
comment The operating system installed on the system is CentOS Linux 5.x
oval oval:org.mitre.oval:def:15802
comment Oracle Linux 5.x
oval oval:org.mitre.oval:def:15459

description

family

unix

oval:org.mitre.oval:def:11385

status

accepted

submitted

2010-07-09T03:56:16-04:00

title

version

Redhat

advisories

bugzilla

id	488226
title	CVE-2009-0587 evolution-data-server: integer overflow in base64 encoding functions

oval

comment Red Hat Enterprise Linux must be installed
oval oval:com.redhat.rhba:tst:20070304026

AND

comment Red Hat Enterprise Linux 4 is installed
oval oval:com.redhat.rhba:tst:20070304025

AND

comment evolution28-evolution-data-server is earlier than 0:1.8.0-37.el4_7.2
oval oval:com.redhat.rhsa:tst:20090354001
comment evolution28-evolution-data-server is signed with Red Hat master key
oval oval:com.redhat.rhsa:tst:20090354002

AND

comment evolution28-evolution-data-server-devel is earlier than 0:1.8.0-37.el4_7.2
oval oval:com.redhat.rhsa:tst:20090354003
comment evolution28-evolution-data-server-devel is signed with Red Hat master key
oval oval:com.redhat.rhsa:tst:20090354004

AND

comment Red Hat Enterprise Linux 5 is installed
oval oval:com.redhat.rhba:tst:20070331005

AND

comment evolution-data-server is earlier than 0:1.12.3-10.el5_3.3
oval oval:com.redhat.rhsa:tst:20090354006
comment evolution-data-server is signed with Red Hat redhatrelease key
oval oval:com.redhat.rhsa:tst:20070344004

AND

comment evolution-data-server-doc is earlier than 0:1.12.3-10.el5_3.3
oval oval:com.redhat.rhsa:tst:20090354008
comment evolution-data-server-doc is signed with Red Hat redhatrelease key
oval oval:com.redhat.rhsa:tst:20090354009

AND

comment evolution-data-server-devel is earlier than 0:1.12.3-10.el5_3.3
oval oval:com.redhat.rhsa:tst:20090354010
comment evolution-data-server-devel is signed with Red Hat redhatrelease key
oval oval:com.redhat.rhsa:tst:20070344002

rhsa

id	RHSA-2009:0354
released	2009-03-16
severity	Moderate
title	RHSA-2009:0354: evolution-data-server security update (Moderate)

bugzilla

id	488226
title	CVE-2009-0587 evolution-data-server: integer overflow in base64 encoding functions

oval

comment Red Hat Enterprise Linux must be installed
oval oval:com.redhat.rhba:tst:20070304026

AND

comment Red Hat Enterprise Linux 4 is installed
oval oval:com.redhat.rhba:tst:20070304025

AND
comment evolution-devel is earlier than 0:2.0.2-41.el4_7.2
oval oval:com.redhat.rhsa:tst:20090355001
comment evolution-devel is signed with Red Hat master key
oval oval:com.redhat.rhsa:tst:20070353002
AND
comment evolution is earlier than 0:2.0.2-41.el4_7.2
oval oval:com.redhat.rhsa:tst:20090355003
comment evolution is signed with Red Hat master key
oval oval:com.redhat.rhsa:tst:20070353004

AND

comment evolution-data-server-devel is earlier than 0:1.0.2-14.el4_7.1
oval oval:com.redhat.rhsa:tst:20090355005
comment evolution-data-server-devel is signed with Red Hat master key
oval oval:com.redhat.rhsa:tst:20090355006

AND

comment evolution-data-server is earlier than 0:1.0.2-14.el4_7.1
oval oval:com.redhat.rhsa:tst:20090355007
comment evolution-data-server is signed with Red Hat master key
oval oval:com.redhat.rhsa:tst:20090355008

rhsa

id	RHSA-2009:0355
released	2009-03-16
severity	Moderate
title	RHSA-2009:0355: evolution and evolution-data-server security update (Moderate)

rhsa
id RHSA-2009:0358

rpms

evolution-data-server-0:1.12.3-10.el5_3.3
evolution-data-server-debuginfo-0:1.12.3-10.el5_3.3
evolution-data-server-devel-0:1.12.3-10.el5_3.3
evolution-data-server-doc-0:1.12.3-10.el5_3.3
evolution28-evolution-data-server-0:1.8.0-37.el4_7.2
evolution28-evolution-data-server-debuginfo-0:1.8.0-37.el4_7.2
evolution28-evolution-data-server-devel-0:1.8.0-37.el4_7.2
evolution-0:2.0.2-41.el4_7.2
evolution-data-server-0:1.0.2-14.el4_7.1
evolution-data-server-debuginfo-0:1.0.2-14.el4_7.1
evolution-data-server-devel-0:1.0.2-14.el4_7.1
evolution-debuginfo-0:2.0.2-41.el4_7.2
evolution-devel-0:2.0.2-41.el4_7.2
evolution-0:1.4.5-25.el3
evolution-debuginfo-0:1.4.5-25.el3
evolution-devel-0:1.4.5-25.el3

Seebug

bulletinFamily	exploit
description	BUGTRAQ ID: 34100 CVE(CAN) ID: CVE-2008-4316,CVE-2009-0586,CVE-2009-0587,CVE-2009-0585 GLib是GTK+和GNOME工程的基础底层核心程序库，是一个综合用途的轻量级的C程序库。 glib库的Base64编码解码函数在处理超长字符串时没有正确地分配内存，在所有情况下都会使用用户提供值所计算出的长度分配堆内存： g_malloc(user_supplied_length * 3 / 4 + some_small_num) 由于算术运算的评估次序，长度在除以4之前首先乘以3，因此用于分配长度的计算参数可能溢出，导致分配不足的区域。 GNOME glib >= 2.12 stable GNOME glib >= 2.11 unstable 厂商补丁： GNOME ----- 目前厂商已经发布了升级补丁以修复这个安全问题，请到厂商的主页下载： <a href=http://ocert.org/patches/2008-015/glib-CVE-2008-4316.diff target=_blank rel=external nofollow>http://ocert.org/patches/2008-015/glib-CVE-2008-4316.diff</a> <a href=http://ocert.org/patches/2008-015/gst-plugins-base-CVE-2009-0586.diff target=_blank rel=external nofollow>http://ocert.org/patches/2008-015/gst-plugins-base-CVE-2009-0586.diff</a> <a href=http://ocert.org/patches/2008-015/camel-CVE-2009-0587.diff target=_blank rel=external nofollow>http://ocert.org/patches/2008-015/camel-CVE-2009-0587.diff</a> <a href=http://ocert.org/patches/2008-015/evc-CVE-2009-0587.diff target=_blank rel=external nofollow>http://ocert.org/patches/2008-015/evc-CVE-2009-0587.diff</a> <a href=http://ocert.org/patches/2008-015/libsoup-base64-CVE-2009-0585.diff target=_blank rel=external nofollow>http://ocert.org/patches/2008-015/libsoup-base64-CVE-2009-0585.diff</a>
id	SSV:4913
last seen	2017-11-19
modified	2009-03-14
published	2009-03-14
reporter	Root
title	GNOME glib Base64编码解码多个整数溢出漏洞

Summary

Vulnerable Configurations

Common Weakness Enumeration (CWE)

Nessus

Oval

Redhat

Seebug

References