CVE-2018-15587

NameCVE-2018-15587
DescriptionGNOME Evolution through 3.28.2 is prone to OpenPGP signatures being spoofed for arbitrary messages using a specially crafted email that contains a valid signature from the entity to be impersonated as an attachment.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-1766-1, DSA-4457-1
Debian Bugs924616

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
evolution (PTS)jessie, jessie (lts)3.12.9~git20141130.241663-1+deb8u1fixed
stretch (security), stretch (lts), stretch3.22.6-1+deb9u2fixed
buster3.30.5-1.1fixed
bullseye (security), bullseye3.38.3-1+deb11u2fixed
bookworm3.46.4-2fixed
sid, trixie3.50.3-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
evolutionsourcewheezy(unfixed)end-of-life
evolutionsourcejessie3.12.9~git20141130.241663-1+deb8u1DLA-1766-1
evolutionsourcestretch3.22.6-1+deb9u2DSA-4457-1
evolutionsource(unstable)3.30.5-1.1924616

Notes

https://gitlab.gnome.org/GNOME/evolution/issues/120
https://bugzilla.gnome.org/show_bug.cgi?id=796424
https://gitlab.gnome.org/GNOME/evolution/commit/9c55a311325f5905d8b8403b96607e46cf343f21 (evolution)
https://gitlab.gnome.org/GNOME/evolution/commit/f66cd3e1db301d264563b4222a3574e2e58e2b85 (evolution)
Search for package or bug name: Reporting problems