Mageia Bugzilla – Bug 20343
tnef new security issues X41-2017-004 (CVE-2017-630[7-9] and CVE-2017-6310)
Last modified: 2017-03-14 20:48:10 CET
An advisory has been issued on February 23:
The solution is unclear. The advisory says that versions 1.4.12 and earlier are affected, but recommends upgrading to the latest version, which appears to be 1.4.12.
Mageia 5 is also affected.
Assigning to all packagers collectively, since there is no registered maintainer for this package.
Debian has issued an advisory for this on March 1:
They have CVEs and patches.
The updated package fixes security vulnerabilities:
An issue was discovered in tnef before 1.4.13. Two OOB Writes have been identified in src/mapi_attr.c:mapi_attr_read(). These might lead to invalid read and write operations, controlled by an attacker. (CVE-2017-6307)
An issue was discovered in tnef before 1.4.13. Several Integer Overflows, which can lead to Heap Overflows, have been identified in the functions that wrap memory allocation. (CVE-2017-6308)
An issue was discovered in tnef before 1.4.13. Two type confusions have been identified in the parse_file() function. These might lead to invalid read and write operations, controlled by an attacker. (CVE-2017-6309)
An issue was discovered in tnef before 1.4.13. Four type confusions have been identified in the file_add_mapi_attrs() function. These might lead to invalid read and write operations, controlled by an attacker. (CVE-2017-6310)
Updated packages in core/updates_testing:
"... is a program for unpacking MIME attachments of type "application/ms-tnef". This is a Microsoft only attachment. Due to the proliferation of Microsoft Outlook and Exchange mail servers, more and more mail is encapsulated into this format. The TNEF program allows one to unpack the attachments which were encapsulated into the TNEF attachment. Thus alleviating the need to use Microsoft Outlook to view the attachment."
$ tnef -h gives a command summary; but
$ man tnef shows the best documentation for it - anywhere.
Unless someone can produce a TNEF e-mail attachment, we may have to test just that this updates OK. I will come back to this for 64-bit.
Created attachment 9088 [details]
tnef mail attachment example
I uploaded a tnef mail attachment.
My suggestion for this and any other tnef related bug would be to switch to using ytnef which is already in the repo with a currently active upstream.
And I can confirm that the attachment opens properly using the
claws-mail-tnef_parse-plugin built with ytnef.
Should have added that ytnef will need to be updated to the latest git for
I could find no test/PoC examples in the various references. According to its GIT page, the package has not evolved since 2011/2012.
@Charles Many thanks for providing the sample TNEF file 'winmail.dat' (which contains: zappa_av1.jpg & bookmark.htm).
BEFORE the update: tnef-1.4.9-4.mga5
$ tnef -v winmail.dat
zappa_av1.jpg | zappa_av1.jpg | unknown |
bookmark.htm | bookmark.htm | unknown |
The .jpg image displayed OK, also the .htm page.
AFTER update: tnef-1.4.9-4.1.mga5
Same correct results, so the update at least is not retrogressive. OK.