REDHAT-BUG-733504
First published: Thu Aug 25 2011(Updated: )
This is another Evolution security issue that I found upstream but presume also affects Fedora and would like to put on the Fedora security team's radar. If my filing such bugs is not appreciated, please let me know and I will stop. Description of problem: Evolution registers a "mailto:" URL handler that accepts a parameter to attach a local file. Thus, a web site can launch the composer on an email with a confidential file attached and try to trick the user into sending it. Version-Release number of selected component (if applicable): Upstream gnome-3-0 branch as of 2011-08-24 How reproducible: Always Steps to Reproduce: 1. Go to <a href="https://mattmccutchen.net/private/evolution-mailto-test">https://mattmccutchen.net/private/evolution-mailto-test</a> . 2. Click "Send" in the composer. Actual results: Your SSH private key is emailed to me. Expected results: A prompt is shown and you decline to attach the private key.
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Evolution | >=2011-08-24 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://mattmccutchen.net/private/evolution-mailto-test
- https://bugzilla.redhat.com/show_bug.cgi/attachment.cgi?id=520081
- https://bugzilla.redhat.com/show_bug.cgi/attachment.cgi?id=520081&action=edit
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=733504#c6
- https://bugzilla.gnome.org/show_bug.cgi?id=657374#c3
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=733504#c8
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=733504#c2
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=757164
- https://rhn.redhat.com/errata/RHSA-2013-0516.html
- https://bugzilla.redhat.com/show_bug.cgi?id=733504
Frequently Asked Questions
What is the severity of REDHAT-BUG-733504?
The severity of REDHAT-BUG-733504 is currently under investigation but it is considered a security issue affecting GNOME Evolution.
How do I fix REDHAT-BUG-733504?
To fix REDHAT-BUG-733504, you should update to the latest version of GNOME Evolution that includes security patches addressing this vulnerability.
Which versions of GNOME Evolution are affected by REDHAT-BUG-733504?
Versions of GNOME Evolution from 2011-08-24 and later are affected by REDHAT-BUG-733504.
What impact does REDHAT-BUG-733504 have on users?
REDHAT-BUG-733504 may allow unauthorized access or manipulation of 'mailto:' URLs, potentially compromising user privacy and security.
Who should I contact regarding REDHAT-BUG-733504?
If you have further questions or concerns about REDHAT-BUG-733504, you should contact the Fedora security team or the GNOME project maintainers.
- agent/references
- agent/type
- agent/first-publish-date
- agent/last-modified-date
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2011-3201
- agent/severity
- agent/description
- agent/event
- agent/trending
- agent/source
- agent/softwarecombine
- agent/tags
- agent/guess-ai
- agent/software-canonical-lookup
- agent/software-canonical-lookup-request
- vendor/gnome
- canonical/evolution