CVE-2018-15587

NameCVE-2018-15587
DescriptionGNOME Evolution through 3.28.2 is prone to OpenPGP signatures being spoofed for arbitrary messages using a specially crafted email that contains a valid signature from the entity to be impersonated as an attachment.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
ReferencesDLA-1766-1, DSA-4457-1
NVD severitymedium (attack range: remote)
Debian Bugs924616

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
evolution (PTS)jessie3.12.9~git20141130.241663-1vulnerable
jessie (security)3.12.9~git20141130.241663-1+deb8u1fixed
stretch3.22.6-1+deb9u1vulnerable
stretch (security)3.22.6-1+deb9u2fixed
buster, sid3.30.5-1.1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
evolutionsource(unstable)3.30.5-1.1medium924616
evolutionsourcejessie3.12.9~git20141130.241663-1+deb8u1mediumDLA-1766-1
evolutionsourcestretch3.22.6-1+deb9u2mediumDSA-4457-1

Notes

https://gitlab.gnome.org/GNOME/evolution/issues/120
https://bugzilla.gnome.org/show_bug.cgi?id=796424
https://gitlab.gnome.org/GNOME/evolution/commit/9c55a311325f5905d8b8403b96607e46cf343f21 (evolution)
https://gitlab.gnome.org/GNOME/evolution/commit/f66cd3e1db301d264563b4222a3574e2e58e2b85 (evolution)

Search for package or bug name: Reporting problems