88644 – ytnef-2.6.ebuild (New Package)

Bug 88644 - ytnef-2.6.ebuild (New Package)

Summary: ytnef-2.6.ebuild (New Package)

Status:	RESOLVED OBSOLETE

Alias:	None

Product:	Gentoo Linux
Classification:	Unclassified
Component:	New packages (show other bugs)
Hardware:	All All

Importance:	Normal normal (vote)
Assignee:	Default Assignee for New Packages

URL:
Whiteboard:	sunrise suggested
Keywords:	EBUILD

Depends on:	88641
Blocks:
	Show dependency tree

Reported:	2005-04-10 14:11 UTC by Tomas Kolda
Modified:	2021-09-18 04:07 UTC (History)
CC List:	3 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
ytnef-2.6.ebuild (ytnef-2.6.ebuild,745 bytes, text/plain) 2005-04-10 14:12 UTC, Tomas Kolda	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Tomas Kolda 2005-04-10 14:11:59 UTC

Hi,

I attached ytnef-2.6.ebuild.

ytnef is a program to work with procmail to decode TNEF streams (winmail.dat attachments) like those created with Outlook. Unlike other similar programs, it can also create vCalendar/vCard entries from meeting requests, address cards, and task entries.

I also sent libytnef ebuild before.

tom

Comment 1 Tomas Kolda 2005-04-10 14:12:40 UTC

Created attachment 55918 [details]
ytnef-2.6.ebuild

Comment 2 Martin Polak 2007-03-01 12:55:56 UTC

*needs dependency for libytnef
*can be marked ~ppc

Comment 3 Jeremy Olexa (darkside) (RETIRED) archtester

2009-01-20 16:30:50 UTC

(this is an automated message based on filtering criteria that matched this bug)
'EBUILD' is in the KEYWORDS which should mean that there is a ebuild attached 
to this bug.
This bug is assigned to maintainer-wanted which means that it is not in the 
main tree.

Hello, The Gentoo Team would like to firstly thank you for your ebuild 
submission. We also apologize for not being able to accommodate you in a timely
manner. There are simply too many new packages.

Allow me to use this opportunity to introduce you to Gentoo Sunrise. The 
sunrise overlay[1] is a overlay for Gentoo which we allow trusted users to 
commit to and all users can have ebuilds reviewed by Gentoo devs for entry 
into the overlay. So, the sunrise team is suggesting that you look into this 
and submit your ebuild to the overlay where even *you* can commit to. =)

Because this is a mass message, we are also asking you to be patient with us. 
We anticipate a large number of requests in a short time. 

Thanks,
On behalf of the Gentoo Sunrise Team,
Jeremy.

[1]: http://www.gentoo.org/proj/en/sunrise/
[2]: http://overlays.gentoo.org/proj/sunrise/wiki/SunriseFaq

Comment 4 Alex Legler (RETIRED) archtester

2009-09-05 13:51:00 UTC

There has been a vulnerability report fro yTNEF:
oCERT-2009-013: http://www.ocert.org/advisories/ocert-2009-013.html

The vulnerabilities lead to arbitrary code execution with the privilege of the target user running the decoders.

The directory traversal vulnerability is caused by improper sanitization of the file name used for saving the attachments, as it is computed directly from properties contained in the TNEF structure without checking for conditions that allow to traverse outside the temporary directory used for attachment storage. This leads to arbitrary code execution in case the attacker crafts an attachment that would overwrite a file used for execution (as an example the bashrc profile).

Additionally buffer and heap overflow vulnerabilities can be triggered by passing a file name exceeding a fixed size of 256 bytes in the TNEF data structure. This can lead to arbitrary code execution if exploited.

There is no known version that resolves these issues. Please do not add this package to gentoo-x86 until a fixed version was released or a patch exists that can be applied. For more information, contact security@g.o.

Comment 5 randall.hand 2014-08-04 00:26:07 UTC

As for 001/AUG/2014, I believe I have resolved these issues.   Newest version of ytnef can be found on Github : https://github.com/Yeraze/ytnef