Hi, I attached ytnef-2.6.ebuild. ytnef is a program to work with procmail to decode TNEF streams (winmail.dat attachments) like those created with Outlook. Unlike other similar programs, it can also create vCalendar/vCard entries from meeting requests, address cards, and task entries. I also sent libytnef ebuild before. tom
Created attachment 55918 [details] ytnef-2.6.ebuild
*needs dependency for libytnef *can be marked ~ppc
(this is an automated message based on filtering criteria that matched this bug) 'EBUILD' is in the KEYWORDS which should mean that there is a ebuild attached to this bug. This bug is assigned to maintainer-wanted which means that it is not in the main tree. Hello, The Gentoo Team would like to firstly thank you for your ebuild submission. We also apologize for not being able to accommodate you in a timely manner. There are simply too many new packages. Allow me to use this opportunity to introduce you to Gentoo Sunrise. The sunrise overlay[1] is a overlay for Gentoo which we allow trusted users to commit to and all users can have ebuilds reviewed by Gentoo devs for entry into the overlay. So, the sunrise team is suggesting that you look into this and submit your ebuild to the overlay where even *you* can commit to. =) Because this is a mass message, we are also asking you to be patient with us. We anticipate a large number of requests in a short time. Thanks, On behalf of the Gentoo Sunrise Team, Jeremy. [1]: http://www.gentoo.org/proj/en/sunrise/ [2]: http://overlays.gentoo.org/proj/sunrise/wiki/SunriseFaq
There has been a vulnerability report fro yTNEF: oCERT-2009-013: http://www.ocert.org/advisories/ocert-2009-013.html The vulnerabilities lead to arbitrary code execution with the privilege of the target user running the decoders. The directory traversal vulnerability is caused by improper sanitization of the file name used for saving the attachments, as it is computed directly from properties contained in the TNEF structure without checking for conditions that allow to traverse outside the temporary directory used for attachment storage. This leads to arbitrary code execution in case the attacker crafts an attachment that would overwrite a file used for execution (as an example the bashrc profile). Additionally buffer and heap overflow vulnerabilities can be triggered by passing a file name exceeding a fixed size of 256 bytes in the TNEF data structure. This can lead to arbitrary code execution if exploited. There is no known version that resolves these issues. Please do not add this package to gentoo-x86 until a fixed version was released or a patch exists that can be applied. For more information, contact security@g.o.
As for 001/AUG/2014, I believe I have resolved these issues. Newest version of ytnef can be found on Github : https://github.com/Yeraze/ytnef