Evolution is the integrated collection of e-mail, calendaring, contactmanagement, communications and personal information management (PIM) toolsfor the GNOME desktop environment.A flaw was found in the way Evolution parsed iCalendar timezone attachmentdata. If the Itip Formatter plug-in was disabled and a user opened a mailwith a carefully crafted iCalendar attachment, arbitrary code could beexecuted as the user running Evolution. (CVE-2008-1108)Note: the Itip Formatter plug-in, which allows calendar information(attachments with a MIME type of "text/calendar") to be displayed as partof the e-mail message, is enabled by default.A heap-based buffer overflow flaw was found in the way Evolution parsediCalendar attachments with an overly long "DESCRIPTION" property string. Ifa user responded to a carefully crafted iCalendar attachment in aparticular way, arbitrary code could be executed as the user runningEvolution. (CVE-2008-1109).The particular response required to trigger this vulnerability was asfollows:1. Receive the carefully crafted iCalendar attachment.2. Accept the associated meeting.3. Open the calender the meeting was in.4. Reply to the sender.Red Hat would like to thank Alin Rad Pop of Secunia Research forresponsibly disclosing these issues.All Evolution users should upgrade to these updated packages, which containbackported patches which resolves these issues.