Yorick Koster discovered multiple security issues in yTNEF and Evolution's TNEF plugin (based on yTNEF), which are described in oCERT-2009-013 advisory:
yTNEF, an open source filter program that decodes Transport Neutral
Encapsulation Format (TNEF) e-mail attachments, and the Evolution TNEF
attachment decoder plugin suffer from directory traversal and buffer
The vulnerabilities lead to arbitrary code execution with the privilege
of the target user running the decoders.
The directory traversal vulnerability is caused by improper sanitization
of the file name used for saving the attachments, as it is computed
directly from properties contained in the TNEF structure without checking
for conditions that allow to traverse outside the temporary directory
used for attachment storage. This leads to arbitrary code execution in
case the attacker crafts an attachment that would overwrite a file used
for execution (as an example the bashrc profile).
Additionally buffer and heap overflow vulnerabilities can be triggered by
passing a file name exceeding a fixed size of 256 bytes in the TNEF data
structure. This can lead to arbitrary code execution if exploited.
Further details can be found in Yorick's advisory:
There's no official upstream fix for the issues. Both yTNEF and Evolution's TNEF plugin are unmaintained according to oCERT's advisory.
Evolution's TNEF plugin requires libytnef. This library is not available in Red Hat Enterprise Linux, hence Evolution packages in Red Hat Enterprise Linux 3, 4 and 5 are not affected by this problem.
libytnef is available in Fedora, but we do not seem to build TNEF Evolution plugin in any current Fedora version (F10 - F12), so Fedora Evolution packages are unaffected too.
ytnef is currently on it's way to Fedora - see Review Request bug #485403.
There still is no CVE for this issue, so I've requested one: http://www.openwall.com/lists/oss-security/2009/10/27/5
This has been given the name CVE-2009-3721
CVE-2009-3721 is for the buffer overflow, CVE-2009-3887 is for the directory traversal.
This issue did not affect Fedora previously, but it does now (Fedora 12 and higher):
* Thu Jul 02 2009 Matthew Barnes <mbarnes> - 2.27.3-4.fc12
- Add BR for libpst-devel and libytnef-devel (RH bug #493049).
There still does not seem to be an upstream fixes for either libytnef or evolution that I can see. Debian removed libytnef from their distribution on 20100214 in order to correct this flaw. No other vendor has provided a fix.
I'm not sure why comment #1 indicates that Fedora Evolution packages are unaffected. F12 and higher are most definitely affected.
(In reply to comment #5)
> I'm not sure why comment #1 indicates that Fedora Evolution packages are
> unaffected. F12 and higher are most definitely affected.
They were not built with ytnef plugin support at that time.
Fixed in newest version : github.com/Yeraze/ytnef
Validated by Yorick.
Additional links to expand on information from comment 18:
Fixed as part of this pull request:
There are unrelated changes as part of the above pull request. Commit that fixes file name buffer overflow by replacing sprintf with snprintf is
Fix in the following pull request:
Evolution bug and fix: