[Bug 1666884] Re: libytnef: February 2017 multiple vulnerabilities (X41-2017-002)
Leonidas S. Barbosa
1666884 at bugs.launchpad.net
Mon Jul 23 18:53:28 UTC 2018
Hi Oliver,
Thanks for the comments...
For trusty I did an update applying:
>From 0eab0e46f4828839a7f7e46e48fc33167377ec0d Mon Sep 17 00:00:00 2001
From: Oliver Giles <ohw.giles at gmail.com>
Date: Wed, 30 May 2018 09:06:02 +0300
Subject: [PATCH] Fix length-check before populating propnames
The earlier length check did not check enough bytes. But rather
than fixing the off-by-one, it makes more sense to do a single
check at the start of the loop.
Resolves CVE-2017-9058.
Although, the second piece of the code/patch wasn't applied to trusty
because it hasn't ytnefprint. I'm not sure if I got it right, but you
are meaning even for Trusty only this patch doesn't solve the issue?
@Michael, I agree with you, but right now for bionic and xenial this package is in universe what means it's a community question of time it be update with those CVEs.
** Tags added: community-security
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to libytnef in Ubuntu.
https://bugs.launchpad.net/bugs/1666884
Title:
libytnef: February 2017 multiple vulnerabilities (X41-2017-002)
Status in libytnef package in Ubuntu:
Confirmed
Status in libytnef source package in Trusty:
Confirmed
Status in libytnef source package in Xenial:
Incomplete
Status in libytnef source package in Yakkety:
Incomplete
Status in libytnef source package in Zesty:
Incomplete
Status in libytnef package in Debian:
Fix Released
Bug description:
http://www.openwall.com/lists/oss-security/2017/02/15/4
https://github.com/Yeraze/ytnef/pull/27/files
Upstream calls this X41-2017-002 but a bunch of CVEs have been assigned too.
https://security-tracker.debian.org/tracker/source-package/libytnef
Fixed in zesty. I'd like to copy the Debian stable security patches
when it's released there.
Quoting from the oss-security post…
Summary and Impact
------------------
Multiple Heap Overflows, out of bound writes and reads, NULL pointer
dereferences and infinite loops have been discovered in ytnef 1.9 an
earlier.
These could be exploited by tricking a user into opening a malicious
winmail.dat file.
Product Description
-------------------
ytnef offers a library and utilities to extract the files from winmail.dat
files. winmail.dat files are send by Microsoft Outlook when forwarding files
via e-mail. The vendor was very responsive in providing a patched version.
Analysis
--------
Due to the big amount of issues found no detailed analysis is given here.
Almost all allocations were unchecked and out of bounds checks rarely
performed in the code.
In total 9 patches were generated for the following issues:
1. Null Pointer Deref / calloc return value not checked
2. Infinite Loop / DoS
3. Buffer Overflow in version field
4. Out of Bound Reads
5. Integer Overflow
6. Invalid Write and Integer Overflow
7. Out of Bounds read
8. Out of Bounds read and write
9. Directory Traversal using the filename
Testing Done
------------
None
Other Info
----------
Zesty already got these fixes synced from Debian. Trusty got these fixes earlier in May since it was still in main. Recently, there's one more CVE, 2017-9058 so I've supplied debdiffs for trusty and zesty for that issue, copied from Debian's 1.9.2-2 package (which will autosync to artful). For xenial and yakkety, I also added the patches that were applied to trusty.
For more about this new issue, see Debian bug 862556
The only reverse dependency for libytnef is evolution.
For xenial and yakkety, the CVE patch appears to have a basically
duplicate fix for the second half of pt_clsid.diff so I dropped those
lines from pt_clsid.diff.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libytnef/+bug/1666884/+subscriptions
More information about the foundations-bugs
mailing list