S/MIME Signature Spoofing in Evolution by Novell
CVE-2009-0547

Currently unrated

Key Information:

Vendor: Evolution
Status: Evolution
Vendor: CVE Published:; 12 February 2009

What is CVE-2009-0547?

The vulnerability in Evolution 2.22.3.1 arises from its method of checking S/MIME signatures. Instead of verifying against the email text as displayed to users, it checks an internal copy within the signed-data blob. This oversight allows remote attackers to exploit the signature verification process by altering the display text while leaving the signed blob intact, effectively leading to signature spoofing. This can mislead users into trusting falsified emails.

References

http://secunia.com/advisories/35357

third-party-advisoryx_refsource_SECUNIA

http://www.securityfocus.com/bid/33720

vdb-entryx_refsource_BID

http://www.vupen.com/english/advisories/2010/1107

vdb-entryx_refsource_VUPEN

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Feb 12, 2009
Vulnerability Reserved
Feb 12, 2009

CVE-2009-0547 Data

JSON