Yorick Koster discovered multiple security issues in yTNEF and Evolution's TNEF plugin (based on yTNEF), which are described in oCERT-2009-013 advisory: http://www.ocert.org/advisories/ocert-2009-013.html yTNEF, an open source filter program that decodes Transport Neutral Encapsulation Format (TNEF) e-mail attachments, and the Evolution TNEF attachment decoder plugin suffer from directory traversal and buffer overflow vulnerabilities. The vulnerabilities lead to arbitrary code execution with the privilege of the target user running the decoders. The directory traversal vulnerability is caused by improper sanitization of the file name used for saving the attachments, as it is computed directly from properties contained in the TNEF structure without checking for conditions that allow to traverse outside the temporary directory used for attachment storage. This leads to arbitrary code execution in case the attacker crafts an attachment that would overwrite a file used for execution (as an example the bashrc profile). Additionally buffer and heap overflow vulnerabilities can be triggered by passing a file name exceeding a fixed size of 256 bytes in the TNEF data structure. This can lead to arbitrary code execution if exploited. Further details can be found in Yorick's advisory: http://www.akitasecurity.nl/advisory.php?id=AK20090601 There's no official upstream fix for the issues. Both yTNEF and Evolution's TNEF plugin are unmaintained according to oCERT's advisory.
Evolution's TNEF plugin requires libytnef. This library is not available in Red Hat Enterprise Linux, hence Evolution packages in Red Hat Enterprise Linux 3, 4 and 5 are not affected by this problem. libytnef is available in Fedora, but we do not seem to build TNEF Evolution plugin in any current Fedora version (F10 - F12), so Fedora Evolution packages are unaffected too. ytnef is currently on it's way to Fedora - see Review Request bug #485403.
There still is no CVE for this issue, so I've requested one: http://www.openwall.com/lists/oss-security/2009/10/27/5
This has been given the name CVE-2009-3721
CVE-2009-3721 is for the buffer overflow, CVE-2009-3887 is for the directory traversal.
This issue did not affect Fedora previously, but it does now (Fedora 12 and higher): * Thu Jul 02 2009 Matthew Barnes <mbarnes> - 2.27.3-4.fc12 - Add BR for libpst-devel and libytnef-devel (RH bug #493049). There still does not seem to be an upstream fixes for either libytnef or evolution that I can see. Debian removed libytnef from their distribution on 20100214 in order to correct this flaw. No other vendor has provided a fix. I'm not sure why comment #1 indicates that Fedora Evolution packages are unaffected. F12 and higher are most definitely affected.
(In reply to comment #5) > I'm not sure why comment #1 indicates that Fedora Evolution packages are > unaffected. F12 and higher are most definitely affected. They were not built with ytnef plugin support at that time.
Fixed in newest version : github.com/Yeraze/ytnef Validated by Yorick.
Additional links to expand on information from comment 18: CVE-2009-3721 Upstream bug: https://github.com/Yeraze/ytnef/issues/7 Fixed as part of this pull request: https://github.com/Yeraze/ytnef/pull/6 There are unrelated changes as part of the above pull request. Commit that fixes file name buffer overflow by replacing sprintf with snprintf is https://github.com/Yeraze/ytnef/commit/eddd89c CVE-2009-3887 Upstream bug: https://github.com/Yeraze/ytnef/issues/8 Fix in the following pull request: https://github.com/Yeraze/ytnef/pull/9
Evolution bug and fix: https://bugzilla.gnome.org/show_bug.cgi?id=641069 https://git.gnome.org/browse/evolution/commit/?id=a9fb511