Bug 21013

Summary: tnef new security issue CVE-2017-8911
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: herman.viaene, lewyssmith, mageia, marja11, sysadmin-bugs
Version: 5Keywords: validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA5-32-OK MGA5-64-OK advisory
Source RPM: tnef-1.4.9-6.mga6.src.rpm CVE:
Status comment: Fixed upstream in 1.4.15
Bug Depends on:    
Bug Blocks: 20938    

Description David Walser 2017-06-02 12:12:56 CEST 
Debian has issued an advisory on June 1:
https://www.debian.org/security/2017/dsa-3869

Mageia 5 is also affected.

The previous security update may have caused a regression (Bug 20938) and we may want to update this to the newest version rather than simply patching.

This particular issue was fixed in 1.4.15.
David Walser 2017-06-02 12:13:07 CEST

Blocks: (none) => 20938
Whiteboard: (none) => MGA5TOO

Comment 1 Marja Van Waes 2017-06-03 08:47:53 CEST 
Assigning to all packagers collectively, since there is no registered maintainer for this package.

CC: (none) => marja11
Assignee: bugsquad => pkg-bugs

Comment 2 David Walser 2017-06-05 01:36:38 CEST 
Note that the new URL is https://github.com/verdammelt/tnef

Status comment: (none) => Fixed upstream in 1.4.15

Comment 3 Nicolas Lécureuil 2017-06-05 10:46:09 CEST 
freeze push requested.

CC: (none) => mageia

Rémi Verschelde 2017-06-05 11:02:34 CEST

Version: Cauldron => 5
Whiteboard: MGA5TOO => (none)

Comment 4 David Walser 2017-07-09 00:48:10 CEST 
Patched package uploaded for Mageia 5.

Advisory:
========================

Updated tnef package fixes security vulnerability:

It was discovered that tnef did not correctly validate its input. An attacker
could exploit this by tricking a user into opening a malicious attachment,
which would result in a denial-of-service by application crash (CVE-2017-8911).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8911
https://www.debian.org/security/2017/dsa-3869
========================

Updated packages in core/updates_testing:
========================
tnef-1.4.15-1.mga5

from tnef-1.4.15-1.mga5.src.rpm

Assignee: pkg-bugs => qa-bugs

Comment 5 Herman Viaene 2017-07-20 13:40:48 CEST 
MGA5-32 on Asus A6000VM Xfce
No installation issues.
Used attachment from bug 20343 and at CLI:
$ tnef -v winmail.dat 
zappa_av1.jpg	|	zappa_av1.jpg	|	unknown	|	
bookmark.htm	|	bookmark.htm	|	unknown	|	

Checked jpg and html file OK

CC: (none) => herman.viaene
Whiteboard: (none) => MGA5-32-OK

Comment 6 Lewis Smith 2017-07-20 20:29:35 CEST 
Testing M5 x64 real hardware.

Updated to: tnef-1.4.15-1.mga5
Using the same attachment https://bugs.mageia.org/attachment.cgi?id=9088
the same command gave the same output as Comment 5; both extracted files view correctly. Update OK.
I discovered that if you do something like:
 $ tnef -v Downloads/winmail.dat
the extracted files are in the directory called from, not that referred to. Same if you use:
 $ tnef -vf Downloads/winmail.dat
The f paramater  = file.

Validating, advisory to follow.

Whiteboard: MGA5-32-OK => MGA5-32-OK MGA5-64-OK
Keywords: (none) => validated_update
CC: (none) => lewyssmith, sysadmin-bugs

Lewis Smith 2017-07-20 20:34:16 CEST

Whiteboard: MGA5-32-OK MGA5-64-OK => MGA5-32-OK MGA5-64-OK advisory

Comment 7 Mageia Robot 2017-07-22 10:56:28 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2017-0209.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED