CVE-2021-3349

NameCVE-2021-3349
Description** DISPUTED ** GNOME Evolution through 3.38.3 produces a "Valid signature" message for an unknown identifier on a previously trusted key because Evolution does not retrieve enough information from the GnuPG API. NOTE: third parties dispute the significance of this issue, and dispute whether Evolution is the best place to change this behavior.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
NVD severitylow

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
evolution (PTS)stretch (security), stretch3.22.6-1+deb9u2vulnerable
buster3.30.5-1.1vulnerable
bullseye, sid3.38.3-1vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
evolutionsource(unstable)(unfixed)unimportant

Notes

GNOME Evlolution upstreams claims that the issue should be fixed completely
on the GnuPG side, whilst the reporter claims theat GnuPG provides what is
needed to adress it on evolution's side.
https://dev.gnupg.org/T4735
https://gitlab.gnome.org/GNOME/evolution/-/issues/299
https://mgorny.pl/articles/evolution-uid-trust-extrapolation.html

Search for package or bug name: Reporting problems