Bug 20343 - tnef new security issues X41-2017-004 (CVE-2017-630[7-9] and CVE-2017-6310)
Summary: tnef new security issues X41-2017-004 (CVE-2017-630[7-9] and CVE-2017-6310)
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 5
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: advisory MGA5-64-OK MGA5-32-OK
Keywords: validated_update
: 20790 (view as bug list)
Depends on:
Blocks:
 
Reported: 2017-02-24 11:59 CET by David Walser
Modified: 2017-05-06 23:50 CEST (History)
7 users (show)

See Also:
Source RPM: tnef-1.4.9-4.mga5.src.rpm
CVE:
Status comment:


Attachments
tnef attachment (95.88 KB, application/octet-stream)
2017-03-13 22:19 CET, Charles Edwards
Details

Description David Walser 2017-02-24 11:59:56 CET
An advisory has been issued on February 23:
http://openwall.com/lists/oss-security/2017/02/23/17

The solution is unclear.  The advisory says that versions 1.4.12 and earlier are affected, but recommends upgrading to the latest version, which appears to be 1.4.12.

Mageia 5 is also affected.
David Walser 2017-02-24 12:00:07 CET

Whiteboard: (none) => MGA5TOO

Comment 1 Marja van Waes 2017-02-24 20:02:11 CET
Assigning to all packagers collectively, since there is no registered maintainer for this package.

CC: (none) => marja11
Assignee: bugsquad => pkg-bugs

Comment 2 David Walser 2017-03-02 12:07:52 CET
Debian has issued an advisory for this on March 1:
https://www.debian.org/security/2017/dsa-3798

They have CVEs and patches.

Summary: tnef new security issues X41-2017-004 => tnef new security issues X41-2017-004 (CVE-2017-630[7-9] and CVE-2017-6310)

Comment 3 Nicolas Salguero 2017-03-02 14:55:50 CET
Suggested advisory:
========================

The updated package fixes security vulnerabilities:

An issue was discovered in tnef before 1.4.13. Two OOB Writes have been identified in src/mapi_attr.c:mapi_attr_read(). These might lead to invalid read and write operations, controlled by an attacker. (CVE-2017-6307)

An issue was discovered in tnef before 1.4.13. Several Integer Overflows, which can lead to Heap Overflows, have been identified in the functions that wrap memory allocation. (CVE-2017-6308)

An issue was discovered in tnef before 1.4.13. Two type confusions have been identified in the parse_file() function. These might lead to invalid read and write operations, controlled by an attacker. (CVE-2017-6309)

An issue was discovered in tnef before 1.4.13. Four type confusions have been identified in the file_add_mapi_attrs() function. These might lead to invalid read and write operations, controlled by an attacker. (CVE-2017-6310)

References:
http://openwall.com/lists/oss-security/2017/02/23/17
https://www.debian.org/security/2017/dsa-3798
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6307
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6308
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6309
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6310
========================

Updated packages in core/updates_testing:
========================
tnef-1.4.9-4.1.mga5

from SRPMS:
tnef-1.4.9-4.1.mga5.src.rpm

Whiteboard: MGA5TOO => (none)
Assignee: pkg-bugs => qa-bugs
Status: NEW => ASSIGNED
CC: (none) => nicolas.salguero
Version: Cauldron => 5

Dave Hodgins 2017-03-08 04:00:04 CET

Whiteboard: (none) => advisory
CC: (none) => davidwhodgins

Comment 4 Lewis Smith 2017-03-13 21:47:42 CET
TNEF?
"... is a program for unpacking MIME attachments of type "application/ms-tnef". This is a Microsoft only attachment. Due to the proliferation of Microsoft Outlook and Exchange mail servers, more and more mail is encapsulated into this format. The TNEF program allows one to unpack the attachments which were encapsulated into the TNEF attachment. Thus alleviating the need to use Microsoft Outlook to view the attachment."

$ tnef -h      gives a command summary; but
$ man tnef     shows the best documentation for it - anywhere.

Unless someone can produce a TNEF e-mail attachment, we may have to test just that this updates OK. I will come back to this for 64-bit.

CC: (none) => lewyssmith

Comment 5 Charles Edwards 2017-03-13 22:19:37 CET
Created attachment 9088 [details]
tnef attachment

tnef mail attachment example

CC: (none) => cae

Comment 6 Charles Edwards 2017-03-13 22:25:39 CET
I uploaded a tnef mail attachment.

My suggestion for this and any other tnef related bug would be to switch to using ytnef which is already in the repo with a currently active upstream.

And I can confirm that the attachment opens properly using the
claws-mail-tnef_parse-plugin built with ytnef.
Comment 7 Charles Edwards 2017-03-13 22:45:30 CET
Should have added that ytnef will need to be updated to the latest git for
CVE-2017-680, https://github.com/Yeraze/ytnef
Comment 8 Lewis Smith 2017-03-14 20:48:10 CET
Testing M5_64
I could find no test/PoC examples in the various references. According to its GIT page, the package has not evolved since 2011/2012.

@Charles Many thanks for providing the sample TNEF file 'winmail.dat' (which contains: zappa_av1.jpg & bookmark.htm).

BEFORE the update: tnef-1.4.9-4.mga5
$ tnef -v winmail.dat 
zappa_av1.jpg	|	zappa_av1.jpg	|	unknown	|	
bookmark.htm	|	bookmark.htm	|	unknown	|

The .jpg image displayed OK, also the .htm page.

AFTER update: tnef-1.4.9-4.1.mga5
Same correct results, so the update at least is not retrogressive. OK.

Whiteboard: advisory => advisory MGA5-64-OK

Comment 9 Dave Hodgins 2017-03-25 01:50:06 CET
On i586, extracted the files from attachment 9088 [details] (Thanks Charles), and
viewed them to ensure they were ok.

Validating the update

Whiteboard: advisory MGA5-64-OK => advisory MGA5-64-OK MGA5-32-OK
Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 10 Mageia Robot 2017-03-25 17:57:30 CET
An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2017-0083.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED

Comment 11 Marja van Waes 2017-05-06 23:50:14 CEST
*** Bug 20790 has been marked as a duplicate of this bug. ***

CC: (none) => zombie_ryushu


Note You need to log in before you can comment on or make changes to this bug.