Bug 25785

Summary: tnef new security issue CVE-2019-18849
Product: Mageia Reporter: Zombie Ryushu <zombie.ryushu>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: major    
Priority: Normal CC: andrewsfarm, geiger.david68210, herman.viaene, smelror, sysadmin-bugs, tmb
Version: 7Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
URL: https://linuxsecurity.com/advisories/deblts/debian-lts-dla-2005-1-tnef-security-update-15-19-18
Whiteboard: MGA7-64-OK
Source RPM: tnef-1.4.17-2.mga7.src.rpm CVE: CVE-2019-18849
Status comment:

Zombie Ryushu 2019-11-29 21:44:04 CET

CVE: (none) => CVE-2019-18849

Comment 1 Lewis Smith 2019-11-29 21:57:48 CET 
Thank you for this notice.
I have checked for no duplicate bug.
Assigning to DavidG as latest committer; CC Stig as having done it before.
No registered maintainer.

Assignee: bugsquad => geiger.david68210
Source RPM: tnef => tnef-1.4.17-2.mga7.src.rpm
CC: (none) => smelror

Comment 2 David GEIGER 2019-11-30 08:01:34 CET 
Done for mga7!
Comment 3 David Walser 2019-11-30 15:47:52 CET 
Saving advisory for the moment...David, it needs to be updated in Cauldron also.

Advisory:
========================

Updated tnef package fixes security vulnerability:

In tnef, an attacker may be able to write to the victim's .ssh/authorized_keys
file via an e-mail message with a crafted winmail.dat application/ms-tnef
attachment, because of a heap-based buffer over-read involving strdup
(CVE-2019-18849).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18849
https://www.debian.org/lts/security/2019/dla-2005
========================

Updated packages in core/updates_testing:
========================
tnef-1.4.18-1.mga7

from tnef-1.4.18-1.mga7.src.rpm

Summary: tnef security update CVE-2019-18849 => tnef new security issue CVE-2019-18849
Version: 7 => Cauldron
Severity: normal => major
Whiteboard: (none) => MGA7TOO

Comment 4 David GEIGER 2019-11-30 17:26:54 CET 
Already updated in Cauldron!
Comment 5 David Walser 2019-11-30 18:06:15 CET 
Yes I see.  Sophie is outdated.

QA, advisory and package in Comment 3.

Whiteboard: MGA7TOO => (none)
Version: Cauldron => 7
CC: (none) => geiger.david68210
Assignee: geiger.david68210 => qa-bugs

Comment 6 Herman Viaene 2019-12-05 11:44:50 CET 
MGA7-64 Plasma on Lenovo B50
No installation issues.
Ref to bug 20343 for a testfile, then at CLI
$ tnef -v winmail.dat 
zappa_av1.jpg   |       zappa_av1.jpg   |       unknown |
bookmark.htm    |       bookmark.htm    |       unknown |
The Picture shows OK and I could import the bookmarks into Firefox
OK for me

CC: (none) => herman.viaene
Whiteboard: (none) => MGA7-64-OK

Comment 7 Thomas Andrews 2019-12-05 22:52:54 CET 
Validating.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Thomas Backlund 2019-12-06 13:33:46 CET

Keywords: (none) => advisory
CC: (none) => tmb

Comment 8 Mageia Robot 2019-12-06 15:17:33 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2019-0367.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED