Debian has issued an advisory on June 1:
Mageia 5 is also affected.
The previous security update may have caused a regression (Bug 20938) and we may want to update this to the newest version rather than simply patching.
This particular issue was fixed in 1.4.15.
Assigning to all packagers collectively, since there is no registered maintainer for this package.
Note that the new URL is https://github.com/verdammelt/tnef
freeze push requested.
Patched package uploaded for Mageia 5.
Updated tnef package fixes security vulnerability:
It was discovered that tnef did not correctly validate its input. An attacker
could exploit this by tricking a user into opening a malicious attachment,
which would result in a denial-of-service by application crash (CVE-2017-8911).
Updated packages in core/updates_testing:
MGA5-32 on Asus A6000VM Xfce
No installation issues.
Used attachment from bug 20343 and at CLI:
$ tnef -v winmail.dat
zappa_av1.jpg | zappa_av1.jpg | unknown |
bookmark.htm | bookmark.htm | unknown |
Checked jpg and html file OK
Testing M5 x64 real hardware.
Updated to: tnef-1.4.15-1.mga5
Using the same attachment https://bugs.mageia.org/attachment.cgi?id=9088
the same command gave the same output as Comment 5; both extracted files view correctly. Update OK.
I discovered that if you do something like:
$ tnef -v Downloads/winmail.dat
the extracted files are in the directory called from, not that referred to. Same if you use:
$ tnef -vf Downloads/winmail.dat
The f paramater = file.
Validating, advisory to follow.
An update for this issue has been pushed to the Mageia Updates repository.