Ximian Evolution UUencoded email could cause excessive memory consumption
| evolution-uuencoded-memory-consumption (11578) |  Medium Risk |
Description:
Evolution could allow a remote attacker to consume all available memory resources. A remote attacker could send a specially-crafted email containing multiple UUencoded strings to cause resource starvation and system instability.
Platforms Affected:
- Conectiva, Linux 7.0
- Conectiva, Linux 8.0
- Gentoo, Linux
- MandrakeSoft, Mandrake Linux 9.0
- MandrakeSoft, Mandrake Linux 9.1 PPC
- MandrakeSoft, Mandrake Linux 9.1
- RedHat, Linux 7.3
- RedHat, Linux 8.0
- RedHat, Linux 9.0
- Ximian, Evolution 1.0.3
- Ximian, Evolution 1.0.4
- Ximian, Evolution 1.0.5
- Ximian, Evolution 1.0.6
- Ximian, Evolution 1.0.7
- Ximian, Evolution 1.0.8
- Ximian, Evolution 1.1.1
- Ximian, Evolution 1.2
- Ximian, Evolution 1.2.1
- Ximian, Evolution 1.2.2
Remedy:
Upgrade to the latest version of Evolution (1.2.3 or later), when it becomes available from the Ximian Web site. See References.
For Red Hat Linux:
Upgrade to the latest evolution package, as listed below. Refer to RHSA-2003:108-19 for more information. See References.
Red Hat 7.3: 1.0.8-9.7x.1 or later
Red Hat 8.0: 1.0.8-11 or later
Red Hat 9: 1.2.2-5 or later
Upgrade to the latest version of evolution (1.2.3 or later), as listed in Gentoo Linux Security Announcement 200303-18. See References.
For Mandrake Linux:
Upgrade to the latest evolution package, as listed below. Refer to MandrakeSoft Security Advisory MDKSA-2003:045 : evolution for more information. See References.
Mandrake Linux 9.0: 1.0.8-3.1mdk or later
Mandrake Linux 9.1: 1.2.4-1.1mdk or later
For Conectiva Linux:
Upgrade to the latest evolution package, as listed below. Refer to Conectiva Linux Security Announcement CLSA-2003:648 for more information. See References.
Conectiva Linux 7.0: 1.0.3-2U70_1cl or later
Conectiva Linux 8.0: 1.0.3-6U80_2cl or later
For other distributions:
Contact your vendor for upgrade or patch information.
Consequences:
Denial of Service
References:
- Conectiva Linux Security Announcement CLSA-2003:648, evolution at http://distro.conectiva.com/atualizacoes/?id=a&anuncio=000648.
- Core Security Technologies Advisory CORE-20030304-01, Multiple vulnerabilities in Ximian's Evolution Mail User Agent at http://www.coresecurity.com/common/showdoc.php?idx=309&idxseccion=10.
- Gentoo Linux Security Announcement 200303-18, evolution multiple vulnerabilities at http://www.linuxsecurity.com/content/view/104772/104/.
- Ximian Web site, Ximian : Products: Ximian Evolution : Download at http://www.ximian.com/products/evolution/.
- BID-7117: Ximian Evolution UUEncoding Parsing Memory Corruption Vulnerability
- BID-7118: Ximian Evolution UUEncoding Denial of Service Vulnerability
- CVE-2003-0129: Ximian Evolution Mail User Agent 1.2.2 and earlier allows remote attackers to cause a denial of service (memory consumption) via a mail message that is uuencoded multiple times.
- MDKSA-2003:045: Updated evolution packages fix multiple vulnerabilities
- RHSA-2003-108: Updated Evolution packages fix multiple vulnerabilities
Reported:
Mar 19, 2003
The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.
For corrections or additions please email xforce@iss.net