Opened 3 years ago

Closed 3 years ago

Last modified 3 years ago

#11684 closed enhancement (fixed)

Generate a security patch for Evolution CVE-2018-15587

Reported by: Douglas R. Reno Owned by: Douglas R. Reno
Priority: high Milestone: 8.4
Component: BOOK Version: SVN
Severity: normal Keywords:
Cc:

Description

I was just emailed privately by an Arch Linux developer regarding CVE-2018-15587 in Evolution, and two vulnerabilities in GDM (I'll file a separate ticket for that).

GNOME Evolution through 3.28.2 is prone to OpenPGP signatures being spoofed for arbitrary messages using a specially crafted email that contains a valid signature from the entity to be impersonated as an attachment.
You can find a patch here:

[https://gitlab.gnome.org/GNOME/evolution/issues/120
[https://gitlab.gnome.org/GNOME/evolution/commit/9c55a311325f5905d8b8403b96607e46cf343f21]

There is a possibility that you might not be able to backport it to 3.30 though, but I figured I would give you a heads up.

Change History (3)

comment:1 by Douglas R. Reno, 3 years ago

Milestone: 8.58.4
Owner: changed from blfs-book to Douglas R. Reno
Priority: normalhigh
Status: newassigned

comment:2 by Douglas R. Reno, 3 years ago

Resolution: fixed
Status: assignedclosed

Patch added at r3890

comment:3 by Douglas R. Reno, 3 years ago

Fixed at r21227

Note: See TracTickets for help on using tickets.