Bug 20299 - libytnef new security issue X41-2017-002
Summary: libytnef new security issue X41-2017-002
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 5
Hardware: All Linux
: Normal normal
Target Milestone: ---
Assignee: Bruno Cornec
QA Contact: Sec team
URL:
Whiteboard: advisory MGA5-32-OK MGA5-64-OK
Keywords:
Depends on: 20893
Blocks:
  Show dependency treegraph
 
Reported: 2017-02-16 01:41 CET by David Walser
Modified: 2017-06-15 01:39 CEST (History)
6 users (show)

See Also:
Source RPM: libytnef-1.5-10.mga5.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2017-02-16 01:41:37 CET
Upstream has issued an advisory today (February 15):
http://openwall.com/lists/oss-security/2017/02/15/4

The issue is fixed in version 1.9.1 and the patch to fix it is included in the message above.

Cauldron is likely affected too as it appears to be a git snapshot with an invalid version.
Comment 1 David Walser 2017-05-09 16:44:17 CEST
Debian has issued an advisory today (May 9):
https://www.debian.org/security/2017/dsa-3846

It fixes several CVEs.  I'm not sure if they're fixed in Cauldron or not.
Comment 2 Bruno Cornec 2017-05-11 01:59:59 CEST
I've pushed the latest git version in cauldron and asked for a freeze push.
Will update mga5 as a follow-up.

I'm unsure why there is a version mismatch now. When I imported it the versin was 2.6 somehow (at least for ytnef itself or the lib), and now it appears they use 1.9.x. We should work on a fix sometime.
Comment 3 Bruno Cornec 2017-05-11 02:07:09 CEST
Ok, I found the issue.

I got ytnef originally from sf.net: https://sourceforge.net/projects/ytnef/files/libytnef/ and they were using 2.6 as a version for the tool and 1.5 for the lib. 

In mga6 the update was done using the github repo which is up to date but seems ti have adopted the lib version going forward, not the tool version. Thus our mismatch.

The sf.net version isn't maintained, so we would have to push that new ytnef pckage into 5 to solve the issue, but I'm unsure on how to do that correctly. (the latest git version from cauldron build fine on mga5 BTW).
Comment 4 Bruno Cornec 2017-05-11 02:31:04 CEST
So, after looking at Debian, Jessie is using the same version as us in mga5 so I shamelessly stole their patches to apply it successfully to our mga5 version. Push to updates_testing and advisory written.
Comment 5 David Walser 2017-05-13 18:55:09 CEST
Bruno, thanks for the update.  Just a couple of things I noticed:
1) the tarball in mga5 is in SVN instead of the binrepo
2) you could fix the version in Cauldron by adding an Epoch
3) you should always post the advisory to the bug as well
4) the advisory in SVN is insufficient

QA team, please replace the advisory with the following:

Advisory:
========================

Updated libytnef packages fix security vulnerabilities:

Several issues were discovered in libytnef, a library used to decode
application/ms-tnef e-mail attachments. Multiple heap overflows, out-of-bound
writes and reads, NULL pointer dereferences and infinite loops could be
exploited by tricking a user into opening a maliciously crafted winmail.dat
file (CVE-2017-6298, CVE-2017-6299, CVE-2017-6300, CVE-2017-6301,
CVE-2017-6302, CVE-2017-6303, CVE-2017-6304, CVE-2017-6305, CVE-2017-6306,
CVE-2017-6800, CVE-2017-6801, CVE-2017-6802).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6298
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6299
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6300
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6301
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6302
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6303
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6304
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6305
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6306
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6800
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6801
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6802
http://openwall.com/lists/oss-security/2017/02/15/4
https://www.debian.org/security/2017/dsa-3846
Comment 6 Dave Hodgins 2017-05-21 03:23:45 CEST
Advisory updated in svn
Comment 7 Herman Viaene 2017-06-06 11:40:57 CEST
MGA-32 on Asus A6000VM Xfce
No installation issues.
Took the dip and found libytnef-devel-1.5-10.1 and libytnef0-1.5-10.1 in the updates.
at CLI:
# urpmq --whatrequires-recursive libytnef0
evolution
evolution
evolution-devel
evolution-devel
evolution-ews
evolution-sharp
evolution-sharp-devel
libytnef-devel
libytnef-devel
libytnef0
So I installed evolution and 
$ strace -o /home/tester5/Documenten/ytnef.txt evolution 
generated some pages of warnings, but following its wizard to setup a mail account. Received some messages and the trace file shows libytnef being called.
Comment 8 Dave Hodgins 2017-06-07 07:54:10 CEST
Ok on x86_64, also using evolution. Validating the update
Comment 9 David Walser 2017-06-08 03:10:03 CEST
A new update for this actually got pushed in Bug 20893 after this was tested.
Comment 10 Nicolas Lécureuil 2017-06-08 23:27:16 CEST
Update ID assignment failed

Checking for QA validation keyword⦠  â
Checking dependent bugs⦠             â 20893
Dependent bug! Publish anyway? [y/N]:  â
Checking SRPMs⦠                      â (5/core/libytnef-1.5-10.1.mga5) 


'validated_update' keyword reset.
Comment 11 David Walser 2017-06-10 15:28:31 CEST
Nicolas, would you mind taking a look at the update pushing script?  It shouldn't have tried to push this one, as it was no longer assigned to QA.
Comment 12 David Walser 2017-06-15 01:39:28 CEST
Fixed in:
http://advisories.mageia.org/MGASA-2017-0174.html

Note You need to log in before you can comment on or make changes to this bug.