Bug 20343 - tnef new security issues X41-2017-004 (CVE-2017-630[7-9] and CVE-2017-6310)
Summary: tnef new security issues X41-2017-004 (CVE-2017-630[7-9] and CVE-2017-6310)
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 5
Hardware: All Linux
: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: advisory MGA5-64-OK MGA5-32-OK
Keywords: validated_update
Depends on:
Blocks:
 
Reported: 2017-02-24 11:59 CET by David Walser
Modified: 2017-03-25 17:57 CET (History)
6 users (show)

See Also:
Source RPM: tnef-1.4.9-4.mga5.src.rpm
CVE:
Status comment:


Attachments
tnef attachment (95.88 KB, application/octet-stream)
2017-03-13 22:19 CET, Charles Edwards
Details

Description David Walser 2017-02-24 11:59:56 CET
An advisory has been issued on February 23:
http://openwall.com/lists/oss-security/2017/02/23/17

The solution is unclear.  The advisory says that versions 1.4.12 and earlier are affected, but recommends upgrading to the latest version, which appears to be 1.4.12.

Mageia 5 is also affected.
Comment 1 Marja van Waes 2017-02-24 20:02:11 CET
Assigning to all packagers collectively, since there is no registered maintainer for this package.
Comment 2 David Walser 2017-03-02 12:07:52 CET
Debian has issued an advisory for this on March 1:
https://www.debian.org/security/2017/dsa-3798

They have CVEs and patches.
Comment 3 Nicolas Salguero 2017-03-02 14:55:50 CET
Suggested advisory:
========================

The updated package fixes security vulnerabilities:

An issue was discovered in tnef before 1.4.13. Two OOB Writes have been identified in src/mapi_attr.c:mapi_attr_read(). These might lead to invalid read and write operations, controlled by an attacker. (CVE-2017-6307)

An issue was discovered in tnef before 1.4.13. Several Integer Overflows, which can lead to Heap Overflows, have been identified in the functions that wrap memory allocation. (CVE-2017-6308)

An issue was discovered in tnef before 1.4.13. Two type confusions have been identified in the parse_file() function. These might lead to invalid read and write operations, controlled by an attacker. (CVE-2017-6309)

An issue was discovered in tnef before 1.4.13. Four type confusions have been identified in the file_add_mapi_attrs() function. These might lead to invalid read and write operations, controlled by an attacker. (CVE-2017-6310)

References:
http://openwall.com/lists/oss-security/2017/02/23/17
https://www.debian.org/security/2017/dsa-3798
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6307
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6308
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6309
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6310
========================

Updated packages in core/updates_testing:
========================
tnef-1.4.9-4.1.mga5

from SRPMS:
tnef-1.4.9-4.1.mga5.src.rpm
Comment 4 Lewis Smith 2017-03-13 21:47:42 CET
TNEF?
"... is a program for unpacking MIME attachments of type "application/ms-tnef". This is a Microsoft only attachment. Due to the proliferation of Microsoft Outlook and Exchange mail servers, more and more mail is encapsulated into this format. The TNEF program allows one to unpack the attachments which were encapsulated into the TNEF attachment. Thus alleviating the need to use Microsoft Outlook to view the attachment."

$ tnef -h      gives a command summary; but
$ man tnef     shows the best documentation for it - anywhere.

Unless someone can produce a TNEF e-mail attachment, we may have to test just that this updates OK. I will come back to this for 64-bit.
Comment 5 Charles Edwards 2017-03-13 22:19:37 CET
Created attachment 9088 [details]
tnef attachment

tnef mail attachment example
Comment 6 Charles Edwards 2017-03-13 22:25:39 CET
I uploaded a tnef mail attachment.

My suggestion for this and any other tnef related bug would be to switch to using ytnef which is already in the repo with a currently active upstream.

And I can confirm that the attachment opens properly using the
claws-mail-tnef_parse-plugin built with ytnef.
Comment 7 Charles Edwards 2017-03-13 22:45:30 CET
Should have added that ytnef will need to be updated to the latest git for
CVE-2017-680, https://github.com/Yeraze/ytnef
Comment 8 Lewis Smith 2017-03-14 20:48:10 CET
Testing M5_64
I could find no test/PoC examples in the various references. According to its GIT page, the package has not evolved since 2011/2012.

@Charles Many thanks for providing the sample TNEF file 'winmail.dat' (which contains: zappa_av1.jpg & bookmark.htm).

BEFORE the update: tnef-1.4.9-4.mga5
$ tnef -v winmail.dat 
zappa_av1.jpg	|	zappa_av1.jpg	|	unknown	|	
bookmark.htm	|	bookmark.htm	|	unknown	|

The .jpg image displayed OK, also the .htm page.

AFTER update: tnef-1.4.9-4.1.mga5
Same correct results, so the update at least is not retrogressive. OK.
Comment 9 Dave Hodgins 2017-03-25 01:50:06 CET
On i586, extracted the files from attachment 9088 [details] (Thanks Charles), and
viewed them to ensure they were ok.

Validating the update
Comment 10 Mageia Robot 2017-03-25 17:57:30 CET
An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2017-0083.html

Note You need to log in before you can comment on or make changes to this bug.