Bug 521662 (CVE-2009-3721, CVE-2009-3887) - CVE-2009-3721 CVE-2009-3887 ytnef, evolution: TNEF attachment decoder input sanitization errors (oCERT-2009-013)
Summary: CVE-2009-3721 CVE-2009-3887 ytnef, evolution: TNEF attachment decoder input s...
Status: CLOSED CURRENTRELEASE
Alias: CVE-2009-3721, CVE-2009-3887
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: impact=important,source=ocert,public=...
Keywords: Security
Depends On: 582355 632537
Blocks:
TreeView+ depends on / blocked
 
Reported: 2009-09-07 14:14 UTC by Tomas Hoger
Modified: 2019-06-08 12:49 UTC (History)
7 users (show)

(edit)
Clone Of:
(edit)
Last Closed: 2015-08-24 15:47:24 UTC


Attachments (Terms of Use)

Description Tomas Hoger 2009-09-07 14:14:53 UTC
Yorick Koster discovered multiple security issues in yTNEF and Evolution's TNEF plugin (based on yTNEF), which are described in oCERT-2009-013 advisory:

  http://www.ocert.org/advisories/ocert-2009-013.html

  yTNEF, an open source filter program that decodes Transport Neutral
  Encapsulation Format (TNEF) e-mail attachments, and the Evolution TNEF
  attachment decoder plugin suffer from directory traversal and buffer
  overflow vulnerabilities.

  The vulnerabilities lead to arbitrary code execution with the privilege
  of the target user running the decoders.

  The directory traversal vulnerability is caused by improper sanitization
  of the file name used for saving the attachments, as it is computed
  directly from properties contained in the TNEF structure without checking
  for conditions that allow to traverse outside the temporary directory
  used for attachment storage. This leads to arbitrary code execution in
  case the attacker crafts an attachment that would overwrite a file used
  for execution (as an example the bashrc profile).

  Additionally buffer and heap overflow vulnerabilities can be triggered by
  passing a file name exceeding a fixed size of 256 bytes in the TNEF data
  structure. This can lead to arbitrary code execution if exploited.

Further details can be found in Yorick's advisory:
  http://www.akitasecurity.nl/advisory.php?id=AK20090601

There's no official upstream fix for the issues.  Both yTNEF and Evolution's TNEF plugin are unmaintained according to oCERT's advisory.

Comment 1 Tomas Hoger 2009-09-07 14:19:33 UTC
Evolution's TNEF plugin requires libytnef.  This library is not available in Red Hat Enterprise Linux, hence Evolution packages in Red Hat Enterprise Linux 3, 4 and 5 are not affected by this problem.

libytnef is available in Fedora, but we do not seem to build TNEF Evolution plugin in any current Fedora version (F10 - F12), so Fedora Evolution packages are unaffected too.

ytnef is currently on it's way to Fedora - see Review Request bug #485403.

Comment 2 Vincent Danen 2009-10-27 21:46:35 UTC
There still is no CVE for this issue, so I've requested one: http://www.openwall.com/lists/oss-security/2009/10/27/5

Comment 3 Vincent Danen 2009-10-28 14:08:43 UTC
This has been given the name CVE-2009-3721

Comment 4 Vincent Danen 2010-03-09 20:56:50 UTC
CVE-2009-3721 is for the buffer overflow, CVE-2009-3887 is for the directory traversal.

Comment 5 Vincent Danen 2010-04-09 20:42:51 UTC
This issue did not affect Fedora previously, but it does now (Fedora 12 and higher):

* Thu Jul 02 2009 Matthew Barnes <mbarnes@redhat.com> - 2.27.3-4.fc12
- Add BR for libpst-devel and libytnef-devel (RH bug #493049).

There still does not seem to be an upstream fixes for either libytnef or evolution that I can see.  Debian removed libytnef from their distribution on 20100214 in order to correct this flaw.  No other vendor has provided a fix.

I'm not sure why comment #1 indicates that Fedora Evolution packages are unaffected.  F12 and higher are most definitely affected.

Comment 7 Tomas Hoger 2010-04-12 15:50:19 UTC
(In reply to comment #5)
> I'm not sure why comment #1 indicates that Fedora Evolution packages are
> unaffected.  F12 and higher are most definitely affected.

They were not built with ytnef plugin support at that time.

Comment 18 randall.hand 2014-08-04 17:43:22 UTC
Fixed in newest version : github.com/Yeraze/ytnef


Validated by Yorick.

Comment 19 Tomas Hoger 2014-08-05 09:16:08 UTC
Additional links to expand on information from comment 18:


CVE-2009-3721

Upstream bug:
https://github.com/Yeraze/ytnef/issues/7

Fixed as part of this pull request:
https://github.com/Yeraze/ytnef/pull/6

There are unrelated changes as part of the above pull request.  Commit that fixes file name buffer overflow by replacing sprintf with snprintf is
https://github.com/Yeraze/ytnef/commit/eddd89c


CVE-2009-3887

Upstream bug:
https://github.com/Yeraze/ytnef/issues/8

Fix in the following pull request:
https://github.com/Yeraze/ytnef/pull/9


Note You need to log in before you can comment on or make changes to this bug.