| Summary: | libytnef new security issue X41-2017-002 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | Bruno Cornec <bruno> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | normal | ||
| Priority: | Normal | CC: | bruno, davidwhodgins, herman.viaene, mageia, qa-bugs, sysadmin-bugs |
| Version: | 5 | ||
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | advisory MGA5-32-OK MGA5-64-OK | ||
| Source RPM: | libytnef-1.5-10.mga5.src.rpm | CVE: | |
| Status comment: | |||
| Bug Depends on: | 20893 | ||
| Bug Blocks: | |||
|
Description
David Walser
2017-02-16 01:41:37 CET
Debian has issued an advisory today (May 9): https://www.debian.org/security/2017/dsa-3846 It fixes several CVEs. I'm not sure if they're fixed in Cauldron or not. I've pushed the latest git version in cauldron and asked for a freeze push. Will update mga5 as a follow-up. I'm unsure why there is a version mismatch now. When I imported it the versin was 2.6 somehow (at least for ytnef itself or the lib), and now it appears they use 1.9.x. We should work on a fix sometime. Ok, I found the issue. I got ytnef originally from sf.net: https://sourceforge.net/projects/ytnef/files/libytnef/ and they were using 2.6 as a version for the tool and 1.5 for the lib. In mga6 the update was done using the github repo which is up to date but seems ti have adopted the lib version going forward, not the tool version. Thus our mismatch. The sf.net version isn't maintained, so we would have to push that new ytnef pckage into 5 to solve the issue, but I'm unsure on how to do that correctly. (the latest git version from cauldron build fine on mga5 BTW). Status:
NEW =>
ASSIGNED So, after looking at Debian, Jessie is using the same version as us in mga5 so I shamelessly stole their patches to apply it successfully to our mga5 version. Push to updates_testing and advisory written. Assignee:
bruno =>
qa-bugs Bruno, thanks for the update. Just a couple of things I noticed: 1) the tarball in mga5 is in SVN instead of the binrepo 2) you could fix the version in Cauldron by adding an Epoch 3) you should always post the advisory to the bug as well 4) the advisory in SVN is insufficient QA team, please replace the advisory with the following: Advisory: ======================== Updated libytnef packages fix security vulnerabilities: Several issues were discovered in libytnef, a library used to decode application/ms-tnef e-mail attachments. Multiple heap overflows, out-of-bound writes and reads, NULL pointer dereferences and infinite loops could be exploited by tricking a user into opening a maliciously crafted winmail.dat file (CVE-2017-6298, CVE-2017-6299, CVE-2017-6300, CVE-2017-6301, CVE-2017-6302, CVE-2017-6303, CVE-2017-6304, CVE-2017-6305, CVE-2017-6306, CVE-2017-6800, CVE-2017-6801, CVE-2017-6802). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6298 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6299 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6300 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6301 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6302 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6303 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6304 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6305 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6306 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6800 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6801 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6802 http://openwall.com/lists/oss-security/2017/02/15/4 https://www.debian.org/security/2017/dsa-3846 CC:
(none) =>
bruno Advisory updated in svn CC:
(none) =>
davidwhodgins MGA-32 on Asus A6000VM Xfce No installation issues. Took the dip and found libytnef-devel-1.5-10.1 and libytnef0-1.5-10.1 in the updates. at CLI: # urpmq --whatrequires-recursive libytnef0 evolution evolution evolution-devel evolution-devel evolution-ews evolution-sharp evolution-sharp-devel libytnef-devel libytnef-devel libytnef0 So I installed evolution and $ strace -o /home/tester5/Documenten/ytnef.txt evolution generated some pages of warnings, but following its wizard to setup a mail account. Received some messages and the trace file shows libytnef being called. CC:
(none) =>
herman.viaene Ok on x86_64, also using evolution. Validating the update Whiteboard:
advisory MGA5-32-OK =>
advisory MGA5-32-OK MGA5-64-OK A new update for this actually got pushed in Bug 20893 after this was tested. CC:
(none) =>
qa-bugs Update ID assignment failed Checking for QA validation keyword⦠â Checking dependent bugs⦠â 20893 Dependent bug! Publish anyway? [y/N]: â Checking SRPMs⦠â (5/core/libytnef-1.5-10.1.mga5) 'validated_update' keyword reset. Keywords:
validated_update =>
(none) Nicolas, would you mind taking a look at the update pushing script? It shouldn't have tried to push this one, as it was no longer assigned to QA. CC:
(none) =>
mageia Fixed in: http://advisories.mageia.org/MGASA-2017-0174.html Resolution:
(none) =>
FIXED |