[Bug 1666884] Re: libytnef: February 2017 multiple vulnerabilities (X41-2017-002)

Fri May 26 23:39:17 UTC 2017

The testing for the Trusty update did not go as expected. The test case
linked to from https://bugs.debian.org/cgi-
bin/bugreport.cgi?bug=862556#5 crashes Evolution the same way with and
without the updated libytnef0 package.

Testing on Trusty isn't straightforward because Evolution's handling of
tnef attachments is buggy in Trusty. You have to use this workaround:

  https://bugs.launchpad.net/ubuntu-gnome/+bug/1390466/comments/2

I then used mutt to create an email with the previously mentioned
reproducer tnef file attached. Before sending, I had to manually set the
attachment content type to "application/ms-tnef". (In hindsight, I could
have probably set the content type to "application/ms-tnefl" and then
not needed to binary patch the Evolution tnef module.)

Evolution crashes as soon as you click on the email containing the
crafted tnef file. The backtrace is:

(gdb) bt
#0  0x00007fb1ec652be8 in TNEFFreeMapiProps () from /usr/lib/x86_64-linux-gnu/libytnef.so.0
#1  0x00007fb1ec652e1b in TNEFFree () from /usr/lib/x86_64-linux-gnu/libytnef.so.0
#2  0x00007fb1ec869dcd in ?? () from /usr/lib/evolution/3.10/modules/module-tnef-attachment.so
#3  0x00007fb1f737060c in e_mail_parser_parse_part_as () from /usr/lib/evolution/3.10/libevolution-mail-formatter.so.0
#4  0x00007fb1f73706cd in e_mail_parser_parse_part () from /usr/lib/evolution/3.10/libevolution-mail-formatter.so.0
#5  0x00007fb1f73731b2 in ?? () from /usr/lib/evolution/3.10/libevolution-mail-formatter.so.0
#6  0x00007fb1f737060c in e_mail_parser_parse_part_as () from /usr/lib/evolution/3.10/libevolution-mail-formatter.so.0
#7  0x00007fb1f73718cb in ?? () from /usr/lib/evolution/3.10/libevolution-mail-formatter.so.0
#8  0x00007fb1f736ff12 in ?? () from /usr/lib/evolution/3.10/libevolution-mail-formatter.so.0
#9  0x00007fb1f73700b1 in e_mail_parser_parse_sync () from /usr/lib/evolution/3.10/libevolution-mail-formatter.so.0
#10 0x00007fb1eeac09bd in ?? () from /usr/lib/evolution/3.10/libevolution-mail.so.0
#11 0x00007fb21dc4f2af in ?? () from /usr/lib/x86_64-linux-gnu/libgio-2.0.so.0
#12 0x00007fb21dc3c4e6 in ?? () from /usr/lib/x86_64-linux-gnu/libgio-2.0.so.0
#13 0x00007fb21dc5f065 in ?? () from /usr/lib/x86_64-linux-gnu/libgio-2.0.so.0
#14 0x00007fb21d6f388c in ?? () from /lib/x86_64-linux-gnu/libglib-2.0.so.0
#15 0x00007fb21d6f2f05 in ?? () from /lib/x86_64-linux-gnu/libglib-2.0.so.0
#16 0x00007fb220cb0184 in start_thread (arg=0x7fb1dbfff700) at pthread_create.c:312
#17 0x00007fb21d3babed in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:111

I don't plan to move forward with this update since it doesn't fix the
crasher.

** Changed in: libytnef (Ubuntu Trusty)
     Assignee: Tyler Hicks (tyhicks) => (unassigned)

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to libytnef in Ubuntu.
https://bugs.launchpad.net/bugs/1666884

Title:
  libytnef: February 2017 multiple vulnerabilities (X41-2017-002)

Status in libytnef package in Ubuntu:
  Confirmed
Status in libytnef source package in Trusty:
  Confirmed
Status in libytnef source package in Xenial:
  Incomplete
Status in libytnef source package in Yakkety:
  Incomplete
Status in libytnef source package in Zesty:
  Incomplete
Status in libytnef package in Debian:
  Fix Released

Bug description:
  http://www.openwall.com/lists/oss-security/2017/02/15/4

  https://github.com/Yeraze/ytnef/pull/27/files

  Upstream calls this X41-2017-002 but a bunch of CVEs have been assigned too.
  https://security-tracker.debian.org/tracker/source-package/libytnef

  Fixed in zesty. I'd like to copy the Debian stable security patches
  when it's released there.

  Quoting from the oss-security post…

  Summary and Impact
  ------------------
  Multiple Heap Overflows, out of bound writes and reads, NULL pointer
  dereferences and infinite loops have been discovered in ytnef 1.9 an
  earlier.
  These could be exploited by tricking a user into opening a malicious
  winmail.dat file.

  Product Description
  -------------------
  ytnef offers a library and utilities to extract the files from winmail.dat
  files. winmail.dat files are send by Microsoft Outlook when forwarding files
  via e-mail. The vendor was very responsive in providing a patched version.

  Analysis
  --------
  Due to the big amount of issues found no detailed analysis is given here.
  Almost all allocations were unchecked and out of bounds checks rarely
  performed in the code.

  In total 9 patches were generated for the following issues:

  1. Null Pointer Deref / calloc return value not checked
  2. Infinite Loop / DoS
  3. Buffer Overflow in version field
  4. Out of Bound Reads
  5. Integer Overflow
  6. Invalid Write and Integer Overflow
  7. Out of Bounds read
  8. Out of Bounds read and write
  9. Directory Traversal using the filename

  Testing Done
  ------------
  None

  Other Info
  ----------
  Zesty already got these fixes synced from Debian. Trusty got these fixes earlier in May since it was still in main. Recently, there's one more CVE, 2017-9058 so I've supplied debdiffs for trusty and zesty for that issue, copied from Debian's 1.9.2-2 package (which will autosync to artful). For xenial and yakkety, I also added the patches that were applied to trusty.

  For more about this new issue, see Debian bug 862556

  The only reverse dependency for libytnef is evolution.

  For xenial and yakkety, the CVE patch appears to have a basically
  duplicate fix for the second half of pt_clsid.diff so I dropped those
  lines from pt_clsid.diff.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libytnef/+bug/1666884/+subscriptions