Bug 6881

Summary: libytnef potential buffer overflow
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact:
Severity: normal    
Priority: Normal CC: oe, stblack, stormi-mageia, sysadmin-bugs, tmb
Version: 2Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/506955/
Whiteboard: MGA1TOO has_procedure MGA1-32-OK MGA2-32-OK MGA1-64-OK MGA2-64-OK
Source RPM: libytnef-1.5-5.mga1.src.rpm CVE:
Status comment:

Description David Walser 2012-07-27 16:37:16 CEST 
Fedora has issued an advisory on July 5:
http://lists.fedoraproject.org/pipermail/package-announce/2012-July/083853.html

Patched package uploaded for Mageia 1, Mageia 2, and Cauldron.

Note to QA: reproducer instructions are on the RedHat bug:
https://bugzilla.redhat.com/show_bug.cgi?id=831322

Advisory:
========================

Updated libytnef package fixes security vulnerability:

Function DecompressRTF() in libytnef 1.5 leads to a buffer overflow on
certain TNEF files (presumably, on files, generated by some recent
versions of MS software).

References:
http://sourceforge.net/tracker/?func=detail&aid=2949686&group_id=70352&atid=527487
http://lists.fedoraproject.org/pipermail/package-announce/2012-July/083853.html
========================

Updated packages in core/updates_testing:
========================
libytnef0-1.5-5.5.mga1
libytnef-devel-1.5-5.5.mga1
libytnef0-1.5-5.5.mga2
libytnef-devel-1.5-5.5.mga2

from SRPMS:
libytnef-1.5-5.1.mga1.src.rpm
libytnef-1.5-5.1.mga2.src.rpm
David Walser 2012-07-27 16:37:22 CEST

Whiteboard: (none) => MGA1TOO

Samuel Verschelde 2012-07-31 21:28:11 CEST

CC: (none) => stormi
Whiteboard: MGA1TOO => MGA1TOO has_procedure

Comment 1 Samuel Verschelde 2012-08-04 10:12:45 CEST 
Testing complete on Mageia 1 32 bits.

--- Detailed procedure ---

Before installing the update candidate:

wget "http://sourceforge.net/tracker/download.php?group_id=70352&atid=533948&file_id=53396&aid=756215" -O winmail.dat

then install the fedora ytnef package, since we don't have it on Mageia.
http://rpm.pbone.net/index.php3?stat=3&search=ytnef

then:

ytnefprint winmail.dat # crashes

then install the update candidate "urpmi libytnef0 --media 'Updates Testing'"

ytnefprint winmail.dat # doesn't crash anymore
Samuel Verschelde 2012-08-04 10:12:55 CEST

Whiteboard: MGA1TOO has_procedure => MGA1TOO has_procedure MGA1-32-OK

Comment 2 Samuel Verschelde 2012-08-04 10:17:58 CEST 
Testing complete on Mageia 2 32 bits.

Whiteboard: MGA1TOO has_procedure MGA1-32-OK => MGA1TOO has_procedure MGA1-32-OK MGA2-32-OK

Comment 3 Samuel Verschelde 2012-08-04 11:20:48 CEST 
Testing complete on Mageia 1 64 bits. We need a tester for Mageia 2 64 and the update can go.

Whiteboard: MGA1TOO has_procedure MGA1-32-OK MGA2-32-OK => MGA1TOO has_procedure MGA1-32-OK MGA2-32-OK MGA1-64-OK

Comment 4 Stefano Negro 2012-08-04 14:38:37 CEST 
I did before : 
wget "http://sourceforge.net/tracker/download.php?group_id=70352&atid=533948&file_id=53396&aid=756215" -O winmail.dat

Then I downloaded and installed : 
Fedora 16
download.fedora.redhat.com/pub/fedora/linux/releases/16/Everything/x86_64/os/Packages/ytnef-2.6-6.fc15.x86_64.rpm

Test pre-update ok. Crash as expected.
ytnefprint winmail.dat"
......
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
*** buffer overflow detected ***: ytnefprint terminated
======= Backtrace: =========

So I enabled and updated testing repos and did the ytnef update to fix it.
It works, and the end of "ytnefprint winmail.dat"

[1] [File      ] ZAPPA_~2.JPG
    Modified on: Monday April 7, 2003 10:35:38 am
    MAPI Properties: 18
    Attachment Size:  2937b
    File saves as [zappa_av1.jpg]
[2] [File      ] bookmark.htm
    Modified on: Tuesday June 17, 2003 10:22:41 am
    MAPI Properties: 18
    Attachment Size:  85805b
    File saves as [bookmark.htm]

So on x86_64 it's validated

Bye
Stblack

CC: (none) => stblack

Stefano Negro 2012-08-04 14:39:15 CEST

Whiteboard: MGA1TOO has_procedure MGA1-32-OK MGA2-32-OK MGA1-64-OK => MGA1TOO has_procedure MGA1-32-OK MGA2-32-OK MGA1-64-OK MGA2-64-OK

Comment 5 Samuel Verschelde 2012-08-04 15:44:38 CEST 
Update validated.

See comment #0 for advisory and packages. Thanks!

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 6 Thomas Backlund 2012-08-06 18:39:15 CEST 
Update pushed:
https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0201

Status: NEW => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED

Comment 7 Oden Eriksson 2013-04-11 07:59:33 CEST 
FYI. This one got CVE-2010-5109

CC: (none) => oe