Bug 6881 - libytnef potential buffer overflow
: libytnef potential buffer overflow
Status: RESOLVED FIXED
Product: Mageia
Classification: Unclassified
Component: Security
: 2
: i586 Linux
: Normal Severity: normal
: ---
Assigned To: QA Team
:
: http://lwn.net/Vulnerabilities/506955/
: MGA1TOO has_procedure MGA1-32-OK MGA2...
: validated_update
:
:
  Show dependency treegraph
 
Reported: 2012-07-27 16:37 CEST by David Walser
Modified: 2013-04-11 07:59 CEST (History)
5 users (show)

See Also:
Source RPM: libytnef-1.5-5.mga1.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2012-07-27 16:37:16 CEST
Fedora has issued an advisory on July 5:
http://lists.fedoraproject.org/pipermail/package-announce/2012-July/083853.html

Patched package uploaded for Mageia 1, Mageia 2, and Cauldron.

Note to QA: reproducer instructions are on the RedHat bug:
https://bugzilla.redhat.com/show_bug.cgi?id=831322

Advisory:
========================

Updated libytnef package fixes security vulnerability:

Function DecompressRTF() in libytnef 1.5 leads to a buffer overflow on
certain TNEF files (presumably, on files, generated by some recent
versions of MS software).

References:
http://sourceforge.net/tracker/?func=detail&aid=2949686&group_id=70352&atid=527487
http://lists.fedoraproject.org/pipermail/package-announce/2012-July/083853.html
========================

Updated packages in core/updates_testing:
========================
libytnef0-1.5-5.5.mga1
libytnef-devel-1.5-5.5.mga1
libytnef0-1.5-5.5.mga2
libytnef-devel-1.5-5.5.mga2

from SRPMS:
libytnef-1.5-5.1.mga1.src.rpm
libytnef-1.5-5.1.mga2.src.rpm
Comment 1 Samuel Verschelde 2012-08-04 10:12:45 CEST
Testing complete on Mageia 1 32 bits.

--- Detailed procedure ---

Before installing the update candidate:

wget "http://sourceforge.net/tracker/download.php?group_id=70352&atid=533948&file_id=53396&aid=756215" -O winmail.dat

then install the fedora ytnef package, since we don't have it on Mageia.
http://rpm.pbone.net/index.php3?stat=3&search=ytnef

then:

ytnefprint winmail.dat # crashes

then install the update candidate "urpmi libytnef0 --media 'Updates Testing'"

ytnefprint winmail.dat # doesn't crash anymore
Comment 2 Samuel Verschelde 2012-08-04 10:17:58 CEST
Testing complete on Mageia 2 32 bits.
Comment 3 Samuel Verschelde 2012-08-04 11:20:48 CEST
Testing complete on Mageia 1 64 bits. We need a tester for Mageia 2 64 and the update can go.
Comment 4 Stefano Negro 2012-08-04 14:38:37 CEST
I did before : 
wget "http://sourceforge.net/tracker/download.php?group_id=70352&atid=533948&file_id=53396&aid=756215" -O winmail.dat

Then I downloaded and installed : 
Fedora 16
download.fedora.redhat.com/pub/fedora/linux/releases/16/Everything/x86_64/os/Packages/ytnef-2.6-6.fc15.x86_64.rpm

Test pre-update ok. Crash as expected.
ytnefprint winmail.dat"
......
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
*** buffer overflow detected ***: ytnefprint terminated
======= Backtrace: =========

So I enabled and updated testing repos and did the ytnef update to fix it.
It works, and the end of "ytnefprint winmail.dat"

[1] [File      ] ZAPPA_~2.JPG
    Modified on: Monday April 7, 2003 10:35:38 am
    MAPI Properties: 18
    Attachment Size:  2937b
    File saves as [zappa_av1.jpg]
[2] [File      ] bookmark.htm
    Modified on: Tuesday June 17, 2003 10:22:41 am
    MAPI Properties: 18
    Attachment Size:  85805b
    File saves as [bookmark.htm]

So on x86_64 it's validated

Bye
Stblack
Comment 5 Samuel Verschelde 2012-08-04 15:44:38 CEST
Update validated.

See comment #0 for advisory and packages. Thanks!
Comment 6 Thomas Backlund 2012-08-06 18:39:15 CEST
Update pushed:
https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0201
Comment 7 Oden Eriksson 2013-04-11 07:59:33 CEST
FYI. This one got CVE-2010-5109

Note You need to log in before you can comment on or make changes to this bug.