Bug 521662 (CVE-2009-3721, CVE-2009-3887)
Summary: | CVE-2009-3721 CVE-2009-3887 ytnef, evolution: TNEF attachment decoder input sanitization errors (oCERT-2009-013) | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Tomas Hoger <thoger> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED CURRENTRELEASE | QA Contact: | |
Severity: | high | Docs Contact: | |
Priority: | high | ||
Version: | unspecified | CC: | andreas.bierfert, dmoppert, itamar, mbarnes, mcrha, randall.hand, rvokal, vdanen |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | ytnef 2.8 | Doc Type: | Bug Fix |
Doc Text: |
Multiple directory traversal and buffer overflow vulnerabilities were discovered in yTNEF, and in Evolution's TNEF parser that is derived from yTNEF. A crafted email could cause these applications to write data in arbitrary locations on the filesystem, crash, or potentially execute arbitrary code when decoding attachments.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2015-08-24 15:47:24 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 582355, 632537 | ||
Bug Blocks: |
Description
Tomas Hoger
2009-09-07 14:14:53 UTC
Evolution's TNEF plugin requires libytnef. This library is not available in Red Hat Enterprise Linux, hence Evolution packages in Red Hat Enterprise Linux 3, 4 and 5 are not affected by this problem. libytnef is available in Fedora, but we do not seem to build TNEF Evolution plugin in any current Fedora version (F10 - F12), so Fedora Evolution packages are unaffected too. ytnef is currently on it's way to Fedora - see Review Request bug #485403. There still is no CVE for this issue, so I've requested one: http://www.openwall.com/lists/oss-security/2009/10/27/5 This has been given the name CVE-2009-3721 CVE-2009-3721 is for the buffer overflow, CVE-2009-3887 is for the directory traversal. This issue did not affect Fedora previously, but it does now (Fedora 12 and higher): * Thu Jul 02 2009 Matthew Barnes <mbarnes> - 2.27.3-4.fc12 - Add BR for libpst-devel and libytnef-devel (RH bug #493049). There still does not seem to be an upstream fixes for either libytnef or evolution that I can see. Debian removed libytnef from their distribution on 20100214 in order to correct this flaw. No other vendor has provided a fix. I'm not sure why comment #1 indicates that Fedora Evolution packages are unaffected. F12 and higher are most definitely affected. (In reply to comment #5) > I'm not sure why comment #1 indicates that Fedora Evolution packages are > unaffected. F12 and higher are most definitely affected. They were not built with ytnef plugin support at that time. Fixed in newest version : github.com/Yeraze/ytnef Validated by Yorick. Additional links to expand on information from comment 18: CVE-2009-3721 Upstream bug: https://github.com/Yeraze/ytnef/issues/7 Fixed as part of this pull request: https://github.com/Yeraze/ytnef/pull/6 There are unrelated changes as part of the above pull request. Commit that fixes file name buffer overflow by replacing sprintf with snprintf is https://github.com/Yeraze/ytnef/commit/eddd89c CVE-2009-3887 Upstream bug: https://github.com/Yeraze/ytnef/issues/8 Fix in the following pull request: https://github.com/Yeraze/ytnef/pull/9 |