Bug 521662 (CVE-2009-3721, CVE-2009-3887)
|Summary:||CVE-2009-3721 CVE-2009-3887 ytnef, evolution: TNEF attachment decoder input sanitization errors (oCERT-2009-013)|
|Product:||[Other] Security Response||Reporter:||Tomas Hoger <thoger>|
|Component:||vulnerability||Assignee:||Red Hat Product Security <security-response-team>|
|Status:||CLOSED CURRENTRELEASE||QA Contact:|
|Version:||unspecified||CC:||andreas.bierfert, dmoppert, itamar, mbarnes, mcrha, randall.hand, rvokal, vdanen|
|Fixed In Version:||ytnef 2.8||Doc Type:||Bug Fix|
Multiple directory traversal and buffer overflow vulnerabilities were discovered in yTNEF, and in Evolution's TNEF parser that is derived from yTNEF. A crafted email could cause these applications to write data in arbitrary locations on the filesystem, crash, or potentially execute arbitrary code when decoding attachments.
|Last Closed:||2015-08-24 15:47:24 UTC||Type:||---|
|oVirt Team:||---||RHEL 7.3 requirements from Atomic Host:|
|Cloudforms Team:||---||Target Upstream Version:|
|Bug Depends On:||582355, 632537|
Description Tomas Hoger 2009-09-07 14:14:53 UTC
Yorick Koster discovered multiple security issues in yTNEF and Evolution's TNEF plugin (based on yTNEF), which are described in oCERT-2009-013 advisory: http://www.ocert.org/advisories/ocert-2009-013.html yTNEF, an open source filter program that decodes Transport Neutral Encapsulation Format (TNEF) e-mail attachments, and the Evolution TNEF attachment decoder plugin suffer from directory traversal and buffer overflow vulnerabilities. The vulnerabilities lead to arbitrary code execution with the privilege of the target user running the decoders. The directory traversal vulnerability is caused by improper sanitization of the file name used for saving the attachments, as it is computed directly from properties contained in the TNEF structure without checking for conditions that allow to traverse outside the temporary directory used for attachment storage. This leads to arbitrary code execution in case the attacker crafts an attachment that would overwrite a file used for execution (as an example the bashrc profile). Additionally buffer and heap overflow vulnerabilities can be triggered by passing a file name exceeding a fixed size of 256 bytes in the TNEF data structure. This can lead to arbitrary code execution if exploited. Further details can be found in Yorick's advisory: http://www.akitasecurity.nl/advisory.php?id=AK20090601 There's no official upstream fix for the issues. Both yTNEF and Evolution's TNEF plugin are unmaintained according to oCERT's advisory.
Comment 1 Tomas Hoger 2009-09-07 14:19:33 UTC
Evolution's TNEF plugin requires libytnef. This library is not available in Red Hat Enterprise Linux, hence Evolution packages in Red Hat Enterprise Linux 3, 4 and 5 are not affected by this problem. libytnef is available in Fedora, but we do not seem to build TNEF Evolution plugin in any current Fedora version (F10 - F12), so Fedora Evolution packages are unaffected too. ytnef is currently on it's way to Fedora - see Review Request bug #485403.
Comment 2 Vincent Danen 2009-10-27 21:46:35 UTC
There still is no CVE for this issue, so I've requested one: http://www.openwall.com/lists/oss-security/2009/10/27/5
Comment 4 Vincent Danen 2010-03-09 20:56:50 UTC
CVE-2009-3721 is for the buffer overflow, CVE-2009-3887 is for the directory traversal.
Comment 5 Vincent Danen 2010-04-09 20:42:51 UTC
This issue did not affect Fedora previously, but it does now (Fedora 12 and higher): * Thu Jul 02 2009 Matthew Barnes <mbarnes> - 2.27.3-4.fc12 - Add BR for libpst-devel and libytnef-devel (RH bug #493049). There still does not seem to be an upstream fixes for either libytnef or evolution that I can see. Debian removed libytnef from their distribution on 20100214 in order to correct this flaw. No other vendor has provided a fix. I'm not sure why comment #1 indicates that Fedora Evolution packages are unaffected. F12 and higher are most definitely affected.
Comment 7 Tomas Hoger 2010-04-12 15:50:19 UTC
(In reply to comment #5) > I'm not sure why comment #1 indicates that Fedora Evolution packages are > unaffected. F12 and higher are most definitely affected. They were not built with ytnef plugin support at that time.
Comment 18 randall.hand 2014-08-04 17:43:22 UTC
Fixed in newest version : github.com/Yeraze/ytnef Validated by Yorick.
Comment 19 Tomas Hoger 2014-08-05 09:16:08 UTC
Additional links to expand on information from comment 18: CVE-2009-3721 Upstream bug: https://github.com/Yeraze/ytnef/issues/7 Fixed as part of this pull request: https://github.com/Yeraze/ytnef/pull/6 There are unrelated changes as part of the above pull request. Commit that fixes file name buffer overflow by replacing sprintf with snprintf is https://github.com/Yeraze/ytnef/commit/eddd89c CVE-2009-3887 Upstream bug: https://github.com/Yeraze/ytnef/issues/8 Fix in the following pull request: https://github.com/Yeraze/ytnef/pull/9
Comment 20 Tomas Hoger 2014-08-05 09:20:04 UTC