Hi, I attached libytnef-1.5.ebuild. libytnef is used by ytnef. ytnef is a program to work with procmail to decode TNEF streams (winmail.dat attachments) like those created with Outlook. Unlike other similar programs, it can also create vCalendar/vCard entries from meeting requests, address cards, and task entries. I will also submit ytnef ebuild later. tom
Created attachment 55917 [details] libytnef-1.5.ebuild
also builds on ~ppc
This one is needed for Evolution's TNEF plugin (auto detected during configure phase). Gnome herd, do you want to take care of this package? Outlook-related users would thank you a lot for it ;)
well if you want it, you can push it to the tree and add us as backup herd (please precise role in metadata.xml if so).
align ebuild requests to same values
(this is an automated message based on filtering criteria that matched this bug) 'EBUILD' is in the KEYWORDS which should mean that there is a ebuild attached to this bug. This bug is assigned to maintainer-wanted which means that it is not in the main tree. Hello, The Gentoo Team would like to firstly thank you for your ebuild submission. We also apologize for not being able to accommodate you in a timely manner. There are simply too many new packages. Allow me to use this opportunity to introduce you to Gentoo Sunrise. The sunrise overlay[1] is a overlay for Gentoo which we allow trusted users to commit to and all users can have ebuilds reviewed by Gentoo devs for entry into the overlay. So, the sunrise team is suggesting that you look into this and submit your ebuild to the overlay where even *you* can commit to. =) Because this is a mass message, we are also asking you to be patient with us. We anticipate a large number of requests in a short time. Thanks, On behalf of the Gentoo Sunrise Team, Jeremy. [1]: http://www.gentoo.org/proj/en/sunrise/ [2]: http://overlays.gentoo.org/proj/sunrise/wiki/SunriseFaq
There has been a vulnerability report fro yTNEF: oCERT-2009-013: http://www.ocert.org/advisories/ocert-2009-013.html The vulnerabilities lead to arbitrary code execution with the privilege of the target user running the decoders. The directory traversal vulnerability is caused by improper sanitization of the file name used for saving the attachments, as it is computed directly from properties contained in the TNEF structure without checking for conditions that allow to traverse outside the temporary directory used for attachment storage. This leads to arbitrary code execution in case the attacker crafts an attachment that would overwrite a file used for execution (as an example the bashrc profile). Additionally buffer and heap overflow vulnerabilities can be triggered by passing a file name exceeding a fixed size of 256 bytes in the TNEF data structure. This can lead to arbitrary code execution if exploited. There is no known version that resolves these issues. Please do not add this package to gentoo-x86 until a fixed version was released or a patch exists that can be applied. For more information, contact security@g.o.
*** Bug 364037 has been marked as a duplicate of this bug. ***
As for 001/AUG/2014, I believe I have resolved these issues. Newest version of ytnef can be found on Github : https://github.com/Yeraze/ytnef
ytnef is now in tree and evolution 3.24.6 has a USE flag for controlling the feature. Thanks for reporting.