Bug 137209

Summary: Evolution Crashes after receiving an email with a vcard for 2006 date
Product: [openSUSE] SUSE LINUX 10.0 Reporter: Alex Weeks <alex>
Component: GNOMEAssignee: Stanislav Brabec <sbrabec>
Status: RESOLVED FIXED QA Contact: E-mail List <qa-bugs>
Severity: Critical    
Priority: P5 - None CC: forgotten_ex4EZfzxBL, mls, security-team
Version: unspecified   
Target Milestone: ---   
Hardware: x86   
OS: Other   
Whiteboard:
Found By: Other Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Attachments: The patches fixes the crash

Description Alex Weeks 2005-12-06 18:19:12 UTC 
This is a known bug:  http://bugzilla.gnome.org/show_bug.cgi?id=315345
or

http://bugzilla.gnome.org/show_bug.cgi?id=322861

This has been resolved with Evolution 2.4.1  

This bug makes it near impossible to use Evolution for anything critical. Please release an updated RPM.
Comment 2 Marcus Meissner 2005-12-07 10:23:15 UTC 
is this security relevant?

can a remote user cause this (by attaching vcard attachment for instance)?

does it just crash, or can the attacker execute code? 

can someone perhaps attach the patch?
Comment 3 Andreas Jaeger 2005-12-07 11:02:42 UTC 
Please attach a patch for just this problem.
Comment 4 Forgotten User ex4EZfzxBL 2005-12-08 15:20:03 UTC 
Created attachment 60118 [details]
The patches fixes the crash
Comment 5 Andreas Jaeger 2005-12-09 08:42:58 UTC 
YOU update approve with just adding the patch from comment 4, swamp-ID is: Maintenance-Tracker-3189
Comment 6 JP Rosevear 2005-12-09 13:10:05 UTC 
Re-assigning to gary to do the update.
Comment 7 Stanislav Brabec 2005-12-09 15:27:24 UTC 
Packages for testing are in:
ftp://ftp.suse.com/pub/people/sbrabec/testing/137209/

Submitted for 10.0:

Patchinfo submitted to:
/work/src/done/PATCHINFO/evolution.patch.box

Patchinfo is world-writable. Please translate to German. It is "recommended". Security team can re-classify it as "security", if they think so.
Comment 8 Alex Weeks 2005-12-19 15:36:13 UTC 
When will these updated rpm's be released?  Also, why are the version #'s lower than the current ones?

This is causing me a major production issue.  I am receiving 2 - 4 vcard attachments a day for 2006.

When I "rpm -Uvh --test" teh packages all it complains about is that I have a "newer version" already installed.

Current rpm's released:
evolution-exchange-2.4.0-5
evolution-webcal-2.4.0.1-3
evolution-2.4.0-3.2
evolution-data-server-1.4.0-5.2
evolution-pilot-2.4.0-3.2

Patch versions:
evolution-2.4.0-3.1.i586.rpm
evolution-2.4.0-3.1.src.rpm
evolution-devel-2.4.0-3.1.i586.rpm
evolution-pilot-2.4.0-3.1.i586.rpm
Comment 9 Marcus Meissner 2005-12-19 17:05:11 UTC 
we are preparing updates. likely going out tomorrow.
Comment 10 Marcus Meissner 2005-12-20 12:44:45 UTC 
i just approved the updated packages.