Bug 21013 - tnef new security issue CVE-2017-8911
Summary: tnef new security issue CVE-2017-8911
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 5
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
Whiteboard: MGA5-32-OK MGA5-64-OK advisory
Keywords: validated_update
Depends on:
Blocks: 20938
  Show dependency treegraph
Reported: 2017-06-02 12:12 CEST by David Walser
Modified: 2017-07-22 10:56 CEST (History)
5 users (show)

See Also:
Source RPM: tnef-1.4.9-6.mga6.src.rpm
Status comment: Fixed upstream in 1.4.15


Description David Walser 2017-06-02 12:12:56 CEST
Debian has issued an advisory on June 1:

Mageia 5 is also affected.

The previous security update may have caused a regression (Bug 20938) and we may want to update this to the newest version rather than simply patching.

This particular issue was fixed in 1.4.15.
Comment 1 Marja van Waes 2017-06-03 08:47:53 CEST
Assigning to all packagers collectively, since there is no registered maintainer for this package.
Comment 2 David Walser 2017-06-05 01:36:38 CEST
Note that the new URL is https://github.com/verdammelt/tnef
Comment 3 Nicolas Lécureuil 2017-06-05 10:46:09 CEST
freeze push requested.
Comment 4 David Walser 2017-07-09 00:48:10 CEST
Patched package uploaded for Mageia 5.


Updated tnef package fixes security vulnerability:

It was discovered that tnef did not correctly validate its input. An attacker
could exploit this by tricking a user into opening a malicious attachment,
which would result in a denial-of-service by application crash (CVE-2017-8911).


Updated packages in core/updates_testing:

from tnef-1.4.15-1.mga5.src.rpm
Comment 5 Herman Viaene 2017-07-20 13:40:48 CEST
MGA5-32 on Asus A6000VM Xfce
No installation issues.
Used attachment from bug 20343 and at CLI:
$ tnef -v winmail.dat 
zappa_av1.jpg	|	zappa_av1.jpg	|	unknown	|	
bookmark.htm	|	bookmark.htm	|	unknown	|	

Checked jpg and html file OK
Comment 6 Lewis Smith 2017-07-20 20:29:35 CEST
Testing M5 x64 real hardware.

Updated to: tnef-1.4.15-1.mga5
Using the same attachment https://bugs.mageia.org/attachment.cgi?id=9088
the same command gave the same output as Comment 5; both extracted files view correctly. Update OK.
I discovered that if you do something like:
 $ tnef -v Downloads/winmail.dat
the extracted files are in the directory called from, not that referred to. Same if you use:
 $ tnef -vf Downloads/winmail.dat
The f paramater  = file.

Validating, advisory to follow.
Comment 7 Mageia Robot 2017-07-22 10:56:28 CEST
An update for this issue has been pushed to the Mageia Updates repository.


Note You need to log in before you can comment on or make changes to this bug.