ISS X-Force Database: evolution-multiple-attachments-dos(19497): Evolution multiple .ezm attachment denial of service

Evolution multiple .ezm attachment denial of service

evolution-multiple-attachments-dos (19497)

Medium Risk

Description:

Evolution is vulnerable to a denial of service attack. By attaching over 1000 specially-crafted .ezm files to an email, a remote attacker can cause Evolution to attempt to interpret the data, if the files are confirmed to contain text, and display the messages in the message window, resulting in a temporary denial of service. The victim will be unable to access Evolution until all messages are interpreted.

Consequences:

Denial of Service

Remedy:

For SCO UnixWare 7.1.4:
Upgrade to the appropriate fixed binaries, as listed in SCO Security Advisory SCOSA-2005.20. See References.

For Conectiva Linux:
Upgrade to the latest Evolution package, as listed below. Refer to Conectiva Linux Announcement CLSA-2005:1004 for more information. See References.

Conectiva Linux 10.0: 2.0.4-75609U10_6cl or later

For Red Hat Linux:
Refer to RHSA-2005:397-09 for patch, upgrade, or suggested workaround information. See References.

For Ubuntu Linux:
Refer to USN-166-1 for patch, upgrade or suggested workaround information. See References.

For other distributions:
Contact your vendor for upgrade or patch information.

References:

Conectiva Linux Security Announcement CLSA-2005:1004: Fix for Evolution vulnerabilities.
Full-Disclosure Mailing List, Fri Feb 25 2005 - 18:45:32 CST : Novell/Ximian Evolution multiple text attachments DoS.
NOVELL - Novell Linux Desktop -Novell Evolution 2: E-mail, Calendaring and Collaboration, Novell Evolution 2.
SCO Security Advisory SCOSA-2005.20: UnixWare 7.1.4 : cdrecord local root exploit.
BID-12826: Novell Evolution Unspecified Denial of Service Vulnerability
CVE-2005-0806: Evolution 2.0.3 allows remote attackers to cause a denial of service (application crash or hang) via crafted messages, possibly involving charsets in attachment filenames.
MDKSA-2005:059: Updated evolution packages fix crasher
RHSA-2005-397: evolution security update
USN-166-1: Evolution vulnerabilities

Platforms Affected:

Canonical Ubuntu 4.10
Canonical Ubuntu 5.04
Conectiva Linux 1.0.0
RedHat Enterprise Linux 4 Desktop
RedHat Enterprise Linux 4 ES
RedHat Enterprise Linux 4 AS
RedHat Enterprise Linux 4 WS
Ximian Evolution 2.0.3

Reported:

Feb 25, 2005

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

For corrections or additions please email xforce@iss.net

Return to the main page