An advisory has been issued on February 23: http://openwall.com/lists/oss-security/2017/02/23/17 The solution is unclear. The advisory says that versions 1.4.12 and earlier are affected, but recommends upgrading to the latest version, which appears to be 1.4.12. Mageia 5 is also affected.
Whiteboard: (none) => MGA5TOO
Assigning to all packagers collectively, since there is no registered maintainer for this package.
CC: (none) => marja11Assignee: bugsquad => pkg-bugs
Debian has issued an advisory for this on March 1: https://www.debian.org/security/2017/dsa-3798 They have CVEs and patches.
Summary: tnef new security issues X41-2017-004 => tnef new security issues X41-2017-004 (CVE-2017-630[7-9] and CVE-2017-6310)
Suggested advisory: ======================== The updated package fixes security vulnerabilities: An issue was discovered in tnef before 1.4.13. Two OOB Writes have been identified in src/mapi_attr.c:mapi_attr_read(). These might lead to invalid read and write operations, controlled by an attacker. (CVE-2017-6307) An issue was discovered in tnef before 1.4.13. Several Integer Overflows, which can lead to Heap Overflows, have been identified in the functions that wrap memory allocation. (CVE-2017-6308) An issue was discovered in tnef before 1.4.13. Two type confusions have been identified in the parse_file() function. These might lead to invalid read and write operations, controlled by an attacker. (CVE-2017-6309) An issue was discovered in tnef before 1.4.13. Four type confusions have been identified in the file_add_mapi_attrs() function. These might lead to invalid read and write operations, controlled by an attacker. (CVE-2017-6310) References: http://openwall.com/lists/oss-security/2017/02/23/17 https://www.debian.org/security/2017/dsa-3798 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6307 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6308 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6309 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6310 ======================== Updated packages in core/updates_testing: ======================== tnef-1.4.9-4.1.mga5 from SRPMS: tnef-1.4.9-4.1.mga5.src.rpm
Status: NEW => ASSIGNEDCC: (none) => nicolas.salgueroVersion: Cauldron => 5Assignee: pkg-bugs => qa-bugsWhiteboard: MGA5TOO => (none)
CC: (none) => davidwhodginsWhiteboard: (none) => advisory
TNEF? "... is a program for unpacking MIME attachments of type "application/ms-tnef". This is a Microsoft only attachment. Due to the proliferation of Microsoft Outlook and Exchange mail servers, more and more mail is encapsulated into this format. The TNEF program allows one to unpack the attachments which were encapsulated into the TNEF attachment. Thus alleviating the need to use Microsoft Outlook to view the attachment." $ tnef -h gives a command summary; but $ man tnef shows the best documentation for it - anywhere. Unless someone can produce a TNEF e-mail attachment, we may have to test just that this updates OK. I will come back to this for 64-bit.
CC: (none) => lewyssmith
Created attachment 9088 [details] tnef attachment tnef mail attachment example
CC: (none) => cae
I uploaded a tnef mail attachment. My suggestion for this and any other tnef related bug would be to switch to using ytnef which is already in the repo with a currently active upstream. And I can confirm that the attachment opens properly using the claws-mail-tnef_parse-plugin built with ytnef.
Should have added that ytnef will need to be updated to the latest git for CVE-2017-680, https://github.com/Yeraze/ytnef
Testing M5_64 I could find no test/PoC examples in the various references. According to its GIT page, the package has not evolved since 2011/2012. @Charles Many thanks for providing the sample TNEF file 'winmail.dat' (which contains: zappa_av1.jpg & bookmark.htm). BEFORE the update: tnef-1.4.9-4.mga5 $ tnef -v winmail.dat zappa_av1.jpg | zappa_av1.jpg | unknown | bookmark.htm | bookmark.htm | unknown | The .jpg image displayed OK, also the .htm page. AFTER update: tnef-1.4.9-4.1.mga5 Same correct results, so the update at least is not retrogressive. OK.
Whiteboard: advisory => advisory MGA5-64-OK
On i586, extracted the files from attachment 9088 [details] (Thanks Charles), and viewed them to ensure they were ok. Validating the update
Keywords: (none) => validated_updateWhiteboard: advisory MGA5-64-OK => advisory MGA5-64-OK MGA5-32-OKCC: (none) => sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2017-0083.html
Status: ASSIGNED => RESOLVEDResolution: (none) => FIXED
*** Bug 20790 has been marked as a duplicate of this bug. ***
CC: (none) => zombie_ryushu