Bug 25785 - tnef new security issue CVE-2019-18849
Summary: tnef new security issue CVE-2019-18849
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 7
Hardware: All Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL: https://linuxsecurity.com/advisories/...
Whiteboard: MGA7-64-OK
Keywords: advisory, validated_update
Depends on:
Reported: 2019-11-29 21:43 CET by Zombie Ryushu
Modified: 2019-12-06 15:17 CET (History)
6 users (show)

See Also:
Source RPM: tnef-1.4.17-2.mga7.src.rpm
CVE: CVE-2019-18849
Status comment:


Zombie Ryushu 2019-11-29 21:44:04 CET

CVE: (none) => CVE-2019-18849

Comment 1 Lewis Smith 2019-11-29 21:57:48 CET
Thank you for this notice.
I have checked for no duplicate bug.
Assigning to DavidG as latest committer; CC Stig as having done it before.
No registered maintainer.

Assignee: bugsquad => geiger.david68210
Source RPM: tnef => tnef-1.4.17-2.mga7.src.rpm
CC: (none) => smelror

Comment 2 David GEIGER 2019-11-30 08:01:34 CET
Done for mga7!
Comment 3 David Walser 2019-11-30 15:47:52 CET
Saving advisory for the moment...David, it needs to be updated in Cauldron also.


Updated tnef package fixes security vulnerability:

In tnef, an attacker may be able to write to the victim's .ssh/authorized_keys
file via an e-mail message with a crafted winmail.dat application/ms-tnef
attachment, because of a heap-based buffer over-read involving strdup


Updated packages in core/updates_testing:

from tnef-1.4.18-1.mga7.src.rpm

Summary: tnef security update CVE-2019-18849 => tnef new security issue CVE-2019-18849
Version: 7 => Cauldron
Severity: normal => major
Whiteboard: (none) => MGA7TOO

Comment 4 David GEIGER 2019-11-30 17:26:54 CET
Already updated in Cauldron!
Comment 5 David Walser 2019-11-30 18:06:15 CET
Yes I see.  Sophie is outdated.

QA, advisory and package in Comment 3.

Whiteboard: MGA7TOO => (none)
Version: Cauldron => 7
CC: (none) => geiger.david68210
Assignee: geiger.david68210 => qa-bugs

Comment 6 Herman Viaene 2019-12-05 11:44:50 CET
MGA7-64 Plasma on Lenovo B50
No installation issues.
Ref to bug 20343 for a testfile, then at CLI
$ tnef -v winmail.dat 
zappa_av1.jpg   |       zappa_av1.jpg   |       unknown |
bookmark.htm    |       bookmark.htm    |       unknown |
The Picture shows OK and I could import the bookmarks into Firefox
OK for me

CC: (none) => herman.viaene
Whiteboard: (none) => MGA7-64-OK

Comment 7 Thomas Andrews 2019-12-05 22:52:54 CET

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Thomas Backlund 2019-12-06 13:33:46 CET

Keywords: (none) => advisory
CC: (none) => tmb

Comment 8 Mageia Robot 2019-12-06 15:17:33 CET
An update for this issue has been pushed to the Mageia Updates repository.


Resolution: (none) => FIXED

Note You need to log in before you can comment on or make changes to this bug.