CVE-2013-4166: 
Linux Debian vulnerability analysis and mitigation

CVE-2013-4166 affects GNOME Evolution 3.8.4 and earlier versions, as well as Evolution Data Server 3.9.5 and earlier versions. The vulnerability was discovered in the gpg_ctx_add_recipient function within camel/camel-gpg-context.c, which incorrectly selects GPG keys for email encryption. This issue has been present since at least 2004 and was publicly disclosed in July 2013 (NVD, Red Hat Bugzilla).

The vulnerability stems from improper GPG key selection when encrypting emails. The function uses a basic 'gpg --encrypt -r address' command without proper email address bracketing, causing it to match every userid containing the address in any field. GPG returns the first match, which may result in selecting the wrong encryption key. The CVSS v3.1 base score is 7.5 (HIGH) with vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N (NVD).

When exploited, this vulnerability could result in emails being encrypted with incorrect public keys, potentially allowing unintended recipients who possess the corresponding private key to decrypt sensitive information. This is particularly concerning in cases where email addresses partially match, such as 'test@example.com' and 'foo-test@example.com', as the wrong recipient's key might be selected for encryption (Red Hat Bugzilla).

The issue was fixed in Evolution Data Server versions after 3.9.5 and Evolution versions after 3.8.4. The fix involves adding proper bracketing around email addresses in GPG commands as documented in the GPG manual. For affected versions, users can work around the issue by ensuring only one key per email address exists in their keyring (Red Hat Advisory).