Created attachment 591258 [details] proposed patch to fix possible buffer overflows. Description of problem: compiler warning: call ... will always overflow destination buffer. indeed, there is a trivial bug in the code, no space is reserved for trailing \0. patch to fix: --- libytnef-1.5/ytnef.c 2004-08-26 17:09:05.000000000 +0000 +++ libytnef-1.5/ytnef.c 2012-06-08 19:34:07.826123387 +0000 @@ -1327,7 +1327,7 @@ ULONG compressedSize, uncompressedSize, magic, crc32; comp_Prebuf.size = strlen(RTF_PREBUF); - comp_Prebuf.data = calloc(comp_Prebuf.size, 1); + comp_Prebuf.data = calloc(comp_Prebuf.size+1, 1); strcpy(comp_Prebuf.data, RTF_PREBUF); src = p->data; Version-Release number of selected component (if applicable): libytnef-1.5-7.fc17
The comp_Prebuf.data[] is never accessed beyond the end. I think more suitable is do memcpy() instead of strcpy() to copy comp_Prebuf.size only bytes without the trailing zero. Actually the comp_Prebuf.data is never freed which leaks memory.
This issue has been already tracked by upstream <http://sourceforge.net/tracker/?func=detail&aid=2949686&group_id=70352&atid=527487>.
Reproducer: (1) Obtain a tnef archive with binary document (e.g. the winmail.dat from <http://sourceforge.net/tracker/?func=detail&aid=756215&group_id=70352&atid=533948>). (2) Explore the archive with ytnefprint tool (from ytnef package) that uses the libytnef library: $ ytnefprint winmail.dat Attempting to parse winmail.dat... ---> In TNEF1.0 format Message Priority: normal Date Received: Tuesday June 17, 2003 10:23:00 am Message Class: IPM.Microsoft Mail.Note MAPI Properties: 39 #0: Type: [ BOOLEAN ] Code: [PR_ALTERNATE_RECIPIENT_ALLOWED] Size: 4 Value: True #1: Type: [ BOOLEAN ] Code: [PR_ORIGINATOR_DELIVERY_REPORT_REQUESTED] Size: 4 Value: False #2: Type: [ LONG ] Code: [PR_PRIORITY] Size: 4 Value: 0 #3: Type: [ BOOLEAN ] Code: [PR_READ_RECEIPT_REQUESTED] Size: 4 Value: False #4: Type: [ LONG ] Code: [PR_SENSITIVITY] Size: 4 Value: 0 #5: Type: [ STRING8 ] Code: [PR_CONVERSATION_TOPIC] Size: 5 Value: [test] #6: Type: [ BINARY ] Code: [PR_CONVERSATION_INDEX] Size: 22 Value: [..4.p...s,j~O...I....L] #7: Type: [ BINARY ] Code: [PR_SENDER_SEARCH_KEY] Size: 26 Value: [SMTP:JGERLAND.] #8: Type: [ BOOLEAN ] Code: [PR_DELETE_AFTER_SUBMIT] Size: 4 Value: False #9: Type: [SYS TIME ] Code: [PR_MESSAGE_DELIVERY_TIME] Size: 8 Value: Tuesday June 17, 2003 3:23:00 pm #10: Type: [ BINARY ] Code: [PR_SENTMAIL_ENTRYID] Size: 24 Value: [......3.v#'N..I..G......] #11: Type: [ LONG ] Code: [PR_SUBMIT_FLAGS] Size: 4 Value: 0 #12: Type: [ BOOLEAN ] Code: [PR_RTF_IN_SYNC] Size: 4 Value: True #13: Type: [ BINARY ] Code: [PR_RTF_COMPRESSED] Size: 217 Detected Compressed RTF.Decompressed text follows -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- *** buffer overflow detected ***: ytnefprint terminated ======= Backtrace: ========= /lib64/libc.so.6(__fortify_fail+0x37)[0x3045708af7] /lib64/libc.so.6[0x3045706a70] /usr/lib64/libytnef.so.0(DecompressRTF+0x3a)[0x3045a0470a] /usr/lib64/libytnef.so.0(MAPIPrint+0x4c8)[0x3045a04e08] ytnefprint[0x4010e9] ytnefprint[0x400909] /lib64/libc.so.6(__libc_start_main+0xed)[0x304562169d] ytnefprint[0x40097d]
One need to configure with CFLAGS='-O2 -g -Wp,-D_FORTIFY_SOURCE=2' to provoke the abort.
Created attachment 596239 [details] Better fix for the heap overflow This fixes the bug by copying only needed bytes.
libytnef-1.5-8.fc17 has been submitted as an update for Fedora 17. https://admin.fedoraproject.org/updates/libytnef-1.5-8.fc17
libytnef-1.5-8.fc16 has been submitted as an update for Fedora 16. https://admin.fedoraproject.org/updates/libytnef-1.5-8.fc16
Package libytnef-1.5-8.fc17: * should fix your issue, * was pushed to the Fedora 17 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing libytnef-1.5-8.fc17' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2012-10250/libytnef-1.5-8.fc17 then log in and leave karma (feedback).
libytnef-1.5-8.fc16 has been pushed to the Fedora 16 stable repository. If problems still persist, please make note of it in this bug report.
libytnef-1.5-8.fc17 has been pushed to the Fedora 17 stable repository. If problems still persist, please make note of it in this bug report.
Added CVE as per http://openwall.com/lists/oss-security/2013/04/11/1