+++ This bug was initially created as a clone of Bug #165235 +++ (don't yet know if this affects RHEL3)
From versions given in description (see bug 165235) would appear not to affect RHEL3. Haven't checked yet though.
It appears that at least part of the advisory may cover Evolution 1.4 and hence RHEL3, and that there may be other similar vulnerabilities in RHEL3 (but not RHEL4) that were not covered in Sitic's advisory. The details: looking at their proposed patch: calendar/gui/e-cal-component-preview.c: source file doesn't exist on RHEL3 evolution, appears to be no equivalent: OK addressbook/gui/widgets/eab-contact-display.c: doesn't exist on RHEL3 evolution: OK addressbook/gui/widgets directory: No usage of gtk_html_stream_printf: OK calendar/gui/e-calendar-view.c: source file doesn't exist on RHEL3 evolution, appears to be no equivalent: OK calendar/gui/e-calendar-table.c: vulnerability appears to be relevant for RHEL3 Evolution, contradicting what is said in the advisory. BAD calendar/gui directory: Have checked all usages of gtk_html_stream_printf: all use constant hardcoded format strings. Checking usage of fprintf: appear to be problems in saving views: calendar/gui/e-day-view.c: e_day_view_on_save_as calendar/gui/e-week-view.c: e_week_view_on_save_as both contain an: fprintf (file, ical_string); These fprintfs are not present in the RHEL4 version.
I didn't see that Security had been unflagged, and that last comment got sent to cluebot Sorry. Have rechecked the Security Sensitive box.
See above two comments
Created attachment 117632 [details] Proposed patch to 1.4.5 to fix format strings in calendar code
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on the solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHSA-2005-267.html