| Name | CVE-2021-3349 |
| Description | GNOME Evolution through 3.38.3 produces a "Valid signature" message for an unknown identifier on a previously trusted key because Evolution does not retrieve enough information from the GnuPG API. NOTE: third parties dispute the significance of this issue, and dispute whether Evolution is the best place to change this behavior |
| Source | CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) |
Vulnerable and fixed packages
The table below lists information on source packages.
| Source Package | Release | Version | Status |
|---|
| evolution (PTS) | buster | 3.30.5-1.1 | vulnerable |
| bullseye (security), bullseye | 3.38.3-1+deb11u2 | vulnerable |
| bookworm | 3.46.4-2 | vulnerable |
| sid, trixie | 3.50.3-1 | vulnerable |
The information below is based on the following data on fixed versions.
| Package | Type | Release | Fixed Version | Urgency | Origin | Debian Bugs |
|---|
| evolution | source | (unstable) | (unfixed) | unimportant | | |
Notes
GNOME Evlolution upstreams claims that the issue should be fixed completely
on the GnuPG side, whilst the reporter claims theat GnuPG provides what is
needed to adress it on evolution's side.
https://dev.gnupg.org/T4735
https://gitlab.gnome.org/GNOME/evolution/-/issues/299
https://mgorny.pl/articles/evolution-uid-trust-extrapolation.html