Max Vozeler discovered an integer overflow in the camel-lock-helper application. This application is installed setgid mail by default. A local attacker could exploit this to execute malicious code with the privileges of the 'mail' group; likewise a remote attacker could setup a malicious POP server to execute arbitrary code when an Evolution user connects to it.

The updated packages have been patched to prevent this problem.

Martin Joey Schulze reports :

Max Vozeler discovered an integer overflow in the helper application camel-lock-helper which runs setuid root or setgid mail inside of Evolution, a free groupware suite. A local attacker can cause the setuid root helper to execute arbitrary code with elevated privileges via a malicious POP server.

Updated evolution packages that fix various bugs are now available.

This update has been rated as having low security impact by the Red Hat Security Response Team.

Evolution is the GNOME collection of personal information management (PIM) tools. Evolution includes a mailer, calendar, contact manager, and communication facility. The tools which make up Evolution are tightly integrated with one another and act as a seamless personal information management tool.

A bug was found in Evolution's helper program camel-lock-helper. This bug could allow a local attacker to gain root privileges if camel-lock-helper has been built to execute with elevated privileges.
The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2005-0102 to this issue. On Red Hat Enterprise Linux, camel-lock-helper is not built to execute with elevated privileges by default. Please note however that if users have rebuilt Evolution from the source RPM, as the root user, camel-lock-helper may be given elevated privileges.

Additionally, these updated packages address the following issues :

-- If evolution ran during a GNOME session, the evolution-wombat process did not exit when the user logged out of the desktop.

-- For folders marked for Offline Synchronization: if a user moved a message from a Local Folder to an IMAP folder while in Offline mode, the message was not present in either folder after returning to Online mode.

This update fixes this problem. Email messages that have been lost this way may still be present in the following path :

~/evolution/<NAME_OF_MAIL_STORE>/ \ <path-to-folder-via-subfolder-directories>/ \ <temporary-uid-of-message>

If this bug has affected you it may be possible to recover data by examining the contents of this directory.

All users of evolution should upgrade to these updated packages, which resolve these issues.

Max Vozeler discovered an integer overflow in a helper application inside of Evolution, a free groupware suite. A local attacker could cause the setuid root helper to execute arbitrary code with elevated privileges.

The remote Redhat Enterprise Linux 4 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2005:397 advisory.

    Evolution is a GNOME-based collection of personal information management     (PIM) tools.

    A bug was found in the way Evolution displays mail messages. It is possible     that an attacker could create a specially crafted mail message that when     opened by a victim causes Evolution to stop responding. The Common     Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name     CAN-2005-0806 to this issue.

    A bug was also found in Evolution's helper program camel-lock-helper. This     bug could allow a local attacker to gain root privileges if     camel-lock-helper has been built to execute with elevated privileges.  The     Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned     the name CAN-2005-0102 to this issue.  On Red Hat Enterprise Linux,     camel-lock-helper is not built to execute with elevated privileges by     default.  Please note however that if users have rebuilt Evolution from the     source RPM, as the root user, camel-lock-helper may be given elevated     privileges.

    All users of evolution should upgrade to these updated packages, which     include backported fixes to correct these issues.

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote host is affected by the vulnerability described in GLSA-200501-35 (Evolution: Integer overflow in camel-lock-helper)

    Max Vozeler discovered an integer overflow in the     camel-lock-helper application, which is installed as setgid mail by     default.
  Impact :

    A local attacker could exploit this vulnerability to execute     malicious code with the privileges of the 'mail' group. A remote     attacker could also setup a malicious POP server to execute arbitrary     code when an Evolution user connects to it.
  Workaround :

    There is no known workaround at this time.

Updated evolution packages that fix various security issues are now available.

This update has been rated as having moderate security impact by the Red Hat Security Response Team.

Evolution is a GNOME-based collection of personal information management (PIM) tools.

A bug was found in the way Evolution displays mail messages. It is possible that an attacker could create a specially crafted mail message that when opened by a victim causes Evolution to stop responding. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2005-0806 to this issue.

A bug was also found in Evolution's helper program camel-lock-helper.
This bug could allow a local attacker to gain root privileges if camel-lock-helper has been built to execute with elevated privileges.
The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2005-0102 to this issue. On Red Hat Enterprise Linux, camel-lock-helper is not built to execute with elevated privileges by default. Please note however that if users have rebuilt Evolution from the source RPM, as the root user, camel-lock-helper may be given elevated privileges.

All users of evolution should upgrade to these updated packages, which include backported fixes to correct these issues.

Max Vozeler discovered an integer overflow in camel-lock-helper. An user-supplied length value was not validated, so that a value of -1 caused a buffer allocation of 0 bytes; this buffer was then filled by an arbitrary amount of user-supplied data.

A local attacker or a malicious POP3 server could exploit this to execute arbitrary code with root privileges (because camel-lock-helper is installed as setuid root).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

ID	Name	Product	Family	Published	Updated	Severity
16290	Mandrake Linux Security Advisory : evolution (MDKSA-2005:024)	Nessus	Mandriva Local Security Checks	2/2/2005	1/6/2021	high
19097	FreeBSD : evolution -- arbitrary code execution vulnerability (b8943e61-6e68-11d9-a9e7-0001020eed82)	Nessus	FreeBSD Local Security Checks	7/13/2005	1/6/2021	high
18311	RHEL 3 : evolution (RHSA-2005:238)	Nessus	Red Hat Local Security Checks	5/19/2005	1/14/2021	high
16347	Debian DSA-673-1 : evolution - integer overflow	Nessus	Debian Local Security Checks	2/10/2005	1/4/2021	high
18197	RHEL 4 : evolution (RHSA-2005:397)	Nessus	Red Hat Local Security Checks	5/4/2005	11/4/2024	critical
21799	CentOS 3 : evolution (CESA-2005:238)	Nessus	CentOS Local Security Checks	7/3/2006	1/4/2021	high
16426	GLSA-200501-35 : Evolution: Integer overflow in camel-lock-helper	Nessus	Gentoo Local Security Checks	2/14/2005	1/6/2021	high
23980	CentOS 4 : Evolution (CESA-2005:397)	Nessus	CentOS Local Security Checks	1/8/2007	1/4/2021	high
20689	Ubuntu 4.10 : evolution vulnerability (USN-69-1)	Nessus	Ubuntu Local Security Checks	1/15/2006	1/19/2021	high

Detections

Analytics

Plugins Search

high

high

high

high

critical

high

high

high

high