Bug 521662 (CVE-2009-3721, CVE-2009-3887)

Summary: CVE-2009-3721 CVE-2009-3887 ytnef, evolution: TNEF attachment decoder input sanitization errors (oCERT-2009-013)
Product: [Other] Security Response Reporter: Tomas Hoger <thoger>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED CURRENTRELEASE QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: andreas.bierfert, dmoppert, itamar, mbarnes, mcrha, randall.hand, rvokal, vdanen
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: ytnef 2.8 Doc Type: Bug Fix
Doc Text:
Multiple directory traversal and buffer overflow vulnerabilities were discovered in yTNEF, and in Evolution's TNEF parser that is derived from yTNEF. A crafted email could cause these applications to write data in arbitrary locations on the filesystem, crash, or potentially execute arbitrary code when decoding attachments.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2015-08-24 15:47:24 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 582355, 632537    
Bug Blocks:    

Description Tomas Hoger 2009-09-07 14:14:53 UTC 
Yorick Koster discovered multiple security issues in yTNEF and Evolution's TNEF plugin (based on yTNEF), which are described in oCERT-2009-013 advisory:

  http://www.ocert.org/advisories/ocert-2009-013.html

  yTNEF, an open source filter program that decodes Transport Neutral
  Encapsulation Format (TNEF) e-mail attachments, and the Evolution TNEF
  attachment decoder plugin suffer from directory traversal and buffer
  overflow vulnerabilities.

  The vulnerabilities lead to arbitrary code execution with the privilege
  of the target user running the decoders.

  The directory traversal vulnerability is caused by improper sanitization
  of the file name used for saving the attachments, as it is computed
  directly from properties contained in the TNEF structure without checking
  for conditions that allow to traverse outside the temporary directory
  used for attachment storage. This leads to arbitrary code execution in
  case the attacker crafts an attachment that would overwrite a file used
  for execution (as an example the bashrc profile).

  Additionally buffer and heap overflow vulnerabilities can be triggered by
  passing a file name exceeding a fixed size of 256 bytes in the TNEF data
  structure. This can lead to arbitrary code execution if exploited.

Further details can be found in Yorick's advisory:
  http://www.akitasecurity.nl/advisory.php?id=AK20090601

There's no official upstream fix for the issues.  Both yTNEF and Evolution's TNEF plugin are unmaintained according to oCERT's advisory.
Comment 1 Tomas Hoger 2009-09-07 14:19:33 UTC 
Evolution's TNEF plugin requires libytnef.  This library is not available in Red Hat Enterprise Linux, hence Evolution packages in Red Hat Enterprise Linux 3, 4 and 5 are not affected by this problem.

libytnef is available in Fedora, but we do not seem to build TNEF Evolution plugin in any current Fedora version (F10 - F12), so Fedora Evolution packages are unaffected too.

ytnef is currently on it's way to Fedora - see Review Request bug #485403.
Comment 2 Vincent Danen 2009-10-27 21:46:35 UTC 
There still is no CVE for this issue, so I've requested one: http://www.openwall.com/lists/oss-security/2009/10/27/5
Comment 3 Vincent Danen 2009-10-28 14:08:43 UTC 
This has been given the name CVE-2009-3721
Comment 4 Vincent Danen 2010-03-09 20:56:50 UTC 
CVE-2009-3721 is for the buffer overflow, CVE-2009-3887 is for the directory traversal.
Comment 5 Vincent Danen 2010-04-09 20:42:51 UTC 
This issue did not affect Fedora previously, but it does now (Fedora 12 and higher):

* Thu Jul 02 2009 Matthew Barnes <mbarnes> - 2.27.3-4.fc12
- Add BR for libpst-devel and libytnef-devel (RH bug #493049).

There still does not seem to be an upstream fixes for either libytnef or evolution that I can see.  Debian removed libytnef from their distribution on 20100214 in order to correct this flaw.  No other vendor has provided a fix.

I'm not sure why comment #1 indicates that Fedora Evolution packages are unaffected.  F12 and higher are most definitely affected.
Comment 7 Tomas Hoger 2010-04-12 15:50:19 UTC 
(In reply to comment #5)
> I'm not sure why comment #1 indicates that Fedora Evolution packages are
> unaffected.  F12 and higher are most definitely affected.

They were not built with ytnef plugin support at that time.
Comment 18 randall.hand 2014-08-04 17:43:22 UTC 
Fixed in newest version : github.com/Yeraze/ytnef


Validated by Yorick.
Comment 19 Tomas Hoger 2014-08-05 09:16:08 UTC 
Additional links to expand on information from comment 18:


CVE-2009-3721

Upstream bug:
https://github.com/Yeraze/ytnef/issues/7

Fixed as part of this pull request:
https://github.com/Yeraze/ytnef/pull/6

There are unrelated changes as part of the above pull request.  Commit that fixes file name buffer overflow by replacing sprintf with snprintf is
https://github.com/Yeraze/ytnef/commit/eddd89c


CVE-2009-3887

Upstream bug:
https://github.com/Yeraze/ytnef/issues/8

Fix in the following pull request:
https://github.com/Yeraze/ytnef/pull/9
Comment 20 Tomas Hoger 2014-08-05 09:20:04 UTC 
Evolution bug and fix:
https://bugzilla.gnome.org/show_bug.cgi?id=641069
https://git.gnome.org/browse/evolution/commit/?id=a9fb511