Bug 21047

Summary: libytnef new security issues CVE-2017-947[0-4]
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: Bruno Cornec <bruno>
Status: RESOLVED OLD QA Contact: Sec team <security>
Severity: normal    
Priority: Normal    
Version: 5   
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Source RPM: libytnef-1.5-10.2.mga5.src.rpm CVE:
Status comment: Many unpatched upstream security issues, only used by evolution and claws-mail and could be disabled

Description David Walser 2017-06-08 03:15:04 CEST 
Several security issues in ytnef have been announced:
http://openwall.com/lists/oss-security/2017/06/07/3
http://openwall.com/lists/oss-security/2017/06/07/4
http://openwall.com/lists/oss-security/2017/06/07/5
http://openwall.com/lists/oss-security/2017/06/07/6
http://openwall.com/lists/oss-security/2017/06/07/7
http://openwall.com/lists/oss-security/2017/06/07/8

(including the first one above that doesn't have a CVE).

No fixes appear to be available yet.

libytnef in Mageia 5 may be affected as well.
Comment 1 Rémi Verschelde 2017-07-01 10:03:25 CEST 
Some more security issues, partly related (just two more sec researchers running their tests after AGO): https://github.com/Yeraze/ytnef/issues (basically all opened issues are security bugs)

ytnef has two reverse deps in Cauldron:
evolution:libytnef-devel
claws-mail:libytnef-devel
Comment 2 Rémi Verschelde 2017-07-01 10:10:43 CEST 
Checked evolution and claws-mail:
- evolution: tnef plugin can be disabled if the BuildRequires is removed (autotools will disable it automatically if missing)
- claws-mail: tnef plugin can be disabled via the `--disable-tnef_parse-plugin` configure option

So we could drop ytnef if we want; Bruno, David, WDYT?
Rémi Verschelde 2017-07-01 10:11:14 CEST

Status comment: (none) => Many unpatched upstream security issues, only used by evolution and claws-mail and could be disabled

Comment 3 David Walser 2017-07-01 16:14:54 CEST 
I think dropping would be OK.  I don't understand why there are three different tnef implementations (tnef, ytnef, ktnef) that all have had recent security issues, instead of everyone settling around one common library.  If we drop ytnef, the tnef program will still be available for dealing with these attachments.  If ytnef fixes their issues and people don't like evolution/claws-mail not having the built-in support, we can always reintroduce ytnef as an update later.
Comment 4 David Walser 2017-07-07 12:02:01 CEST 
Dropped from Mageia 6.  Mageia 5 may or may not be affected.

Source RPM: ytnef-1.9.2-1.mga6.src.rpm => libytnef-1.5-10.2.mga5.src.rpm
Summary: ytnef new security issues CVE-2017-947[0-4] => libytnef new security issues CVE-2017-947[0-4]
Version: Cauldron => 5

Comment 5 David Walser 2017-12-28 06:11:06 CET 
Don't open any TNEF attachments in claws-mail or evolution ;o)

Status: NEW => RESOLVED
Resolution: (none) => OLD