Bug 21047 - libytnef new security issues CVE-2017-947[0-4]
Summary: libytnef new security issues CVE-2017-947[0-4]
Status: RESOLVED OLD
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 5
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: Bruno Cornec
QA Contact: Sec team
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2017-06-08 03:15 CEST by David Walser
Modified: 2017-12-28 06:11 CET (History)
0 users

See Also:
Source RPM: libytnef-1.5-10.2.mga5.src.rpm
CVE:
Status comment: Many unpatched upstream security issues, only used by evolution and claws-mail and could be disabled

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2017-06-08 03:15:04 CEST 
Several security issues in ytnef have been announced:
http://openwall.com/lists/oss-security/2017/06/07/3
http://openwall.com/lists/oss-security/2017/06/07/4
http://openwall.com/lists/oss-security/2017/06/07/5
http://openwall.com/lists/oss-security/2017/06/07/6
http://openwall.com/lists/oss-security/2017/06/07/7
http://openwall.com/lists/oss-security/2017/06/07/8

(including the first one above that doesn't have a CVE).

No fixes appear to be available yet.

libytnef in Mageia 5 may be affected as well.
Comment 1 Rémi Verschelde 2017-07-01 10:03:25 CEST 
Some more security issues, partly related (just two more sec researchers running their tests after AGO): https://github.com/Yeraze/ytnef/issues (basically all opened issues are security bugs)

ytnef has two reverse deps in Cauldron:
evolution:libytnef-devel
claws-mail:libytnef-devel
Comment 2 Rémi Verschelde 2017-07-01 10:10:43 CEST 
Checked evolution and claws-mail:
- evolution: tnef plugin can be disabled if the BuildRequires is removed (autotools will disable it automatically if missing)
- claws-mail: tnef plugin can be disabled via the `--disable-tnef_parse-plugin` configure option

So we could drop ytnef if we want; Bruno, David, WDYT?
Rémi Verschelde 2017-07-01 10:11:14 CEST

Status comment: (none) => Many unpatched upstream security issues, only used by evolution and claws-mail and could be disabled

Comment 3 David Walser 2017-07-01 16:14:54 CEST 
I think dropping would be OK.  I don't understand why there are three different tnef implementations (tnef, ytnef, ktnef) that all have had recent security issues, instead of everyone settling around one common library.  If we drop ytnef, the tnef program will still be available for dealing with these attachments.  If ytnef fixes their issues and people don't like evolution/claws-mail not having the built-in support, we can always reintroduce ytnef as an update later.
Comment 4 David Walser 2017-07-07 12:02:01 CEST 
Dropped from Mageia 6.  Mageia 5 may or may not be affected.

Source RPM: ytnef-1.9.2-1.mga6.src.rpm => libytnef-1.5-10.2.mga5.src.rpm
Summary: ytnef new security issues CVE-2017-947[0-4] => libytnef new security issues CVE-2017-947[0-4]
Version: Cauldron => 5

Comment 5 David Walser 2017-12-28 06:11:06 CET 
Don't open any TNEF attachments in claws-mail or evolution ;o)

Status: NEW => RESOLVED
Resolution: (none) => OLD
Note You need to log in before you can comment on or make changes to this bug.