CVE-2021-3349

NameCVE-2021-3349
DescriptionGNOME Evolution through 3.38.3 produces a "Valid signature" message for an unknown identifier on a previously trusted key because Evolution does not retrieve enough information from the GnuPG API. NOTE: third parties dispute the significance of this issue, and dispute whether Evolution is the best place to change this behavior
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
evolution (PTS)jessie, jessie (lts)3.12.9~git20141130.241663-1+deb8u1vulnerable
stretch (security), stretch (lts), stretch3.22.6-1+deb9u2vulnerable
buster3.30.5-1.1vulnerable
bullseye (security), bullseye3.38.3-1+deb11u2vulnerable
bookworm3.46.4-2vulnerable
sid, trixie3.54.1-1vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
evolutionsource(unstable)(unfixed)unimportant

Notes

GNOME Evlolution upstreams claims that the issue should be fixed completely
on the GnuPG side, whilst the reporter claims theat GnuPG provides what is
needed to adress it on evolution's side.
https://dev.gnupg.org/T4735
https://gitlab.gnome.org/GNOME/evolution/-/issues/299
https://mgorny.pl/articles/evolution-uid-trust-extrapolation.html

Search for package or bug name: Reporting problems