Debian has issued an advisory on June 1: https://www.debian.org/security/2017/dsa-3869 Mageia 5 is also affected. The previous security update may have caused a regression (Bug 20938) and we may want to update this to the newest version rather than simply patching. This particular issue was fixed in 1.4.15.
Blocks: (none) => 20938Whiteboard: (none) => MGA5TOO
Assigning to all packagers collectively, since there is no registered maintainer for this package.
CC: (none) => marja11Assignee: bugsquad => pkg-bugs
Note that the new URL is https://github.com/verdammelt/tnef
Status comment: (none) => Fixed upstream in 1.4.15
freeze push requested.
CC: (none) => mageia
Version: Cauldron => 5Whiteboard: MGA5TOO => (none)
Patched package uploaded for Mageia 5. Advisory: ======================== Updated tnef package fixes security vulnerability: It was discovered that tnef did not correctly validate its input. An attacker could exploit this by tricking a user into opening a malicious attachment, which would result in a denial-of-service by application crash (CVE-2017-8911). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8911 https://www.debian.org/security/2017/dsa-3869 ======================== Updated packages in core/updates_testing: ======================== tnef-1.4.15-1.mga5 from tnef-1.4.15-1.mga5.src.rpm
Assignee: pkg-bugs => qa-bugs
MGA5-32 on Asus A6000VM Xfce No installation issues. Used attachment from bug 20343 and at CLI: $ tnef -v winmail.dat zappa_av1.jpg | zappa_av1.jpg | unknown | bookmark.htm | bookmark.htm | unknown | Checked jpg and html file OK
CC: (none) => herman.viaeneWhiteboard: (none) => MGA5-32-OK
Testing M5 x64 real hardware. Updated to: tnef-1.4.15-1.mga5 Using the same attachment https://bugs.mageia.org/attachment.cgi?id=9088 the same command gave the same output as Comment 5; both extracted files view correctly. Update OK. I discovered that if you do something like: $ tnef -v Downloads/winmail.dat the extracted files are in the directory called from, not that referred to. Same if you use: $ tnef -vf Downloads/winmail.dat The f paramater = file. Validating, advisory to follow.
Whiteboard: MGA5-32-OK => MGA5-32-OK MGA5-64-OKKeywords: (none) => validated_updateCC: (none) => lewyssmith, sysadmin-bugs
Whiteboard: MGA5-32-OK MGA5-64-OK => MGA5-32-OK MGA5-64-OK advisory
An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2017-0209.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED