Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 618658 (CVE-2017-8911)

Summary: <net-mail/tnef-1.4.15: Integer underflow in unicode_to_utf8 (CVE-2017-8911)
Product: Gentoo Security Reporter: Agostino Sarubbo <ago>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: net-mail+disabled
Priority: Normal Flags: stable-bot: sanity-check+
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://bugzilla.redhat.com/show_bug.cgi?id=1451256
Whiteboard: B3 [glsa cve]
Package list:
net-mail/tnef-1.4.15
 Runtime testing required: ---

Description Agostino Sarubbo gentoo-dev 2017-05-16 13:41:46 UTC 
From ${URL} :

An integer underflow has been identified in the unicode_to_utf8() function in tnef 1.4.14. This might lead to invalid write operations, controlled by an attacker.

Upstream bug:

https://github.com/verdammelt/tnef/issues/23


@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Thomas Deutschmann (RETIRED) gentoo-dev 2017-06-03 22:54:42 UTC 
Now in tree https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=c4a7b478e32e5d06bda8624f0f4d40b2b0b1b307


@ Arches,

please test and mark stable: =net-mail/tnef-1.4.15
Comment 2 GLSAMaker/CVETool Bot gentoo-dev 2017-06-03 22:56:39 UTC 
CVE-2017-8911 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-8911):
  An integer underflow has been identified in the unicode_to_utf8() function
  in tnef 1.4.14. This might lead to invalid write operations, controlled by
  an attacker.
Comment 3 Thomas Deutschmann (RETIRED) gentoo-dev 2017-06-03 22:57:24 UTC 
Added to an existing GLSA.
Comment 4 Agostino Sarubbo gentoo-dev 2017-06-04 10:34:56 UTC 
amd64 stable
Comment 5 Agostino Sarubbo gentoo-dev 2017-06-04 10:43:08 UTC 
x86 stable
Comment 6 Agostino Sarubbo gentoo-dev 2017-06-13 12:33:00 UTC 
ppc64 stable
Comment 7 Agostino Sarubbo gentoo-dev 2017-06-21 11:59:45 UTC 
ppc stable
Comment 8 Yury German Gentoo Infrastructure gentoo-dev 2017-08-02 03:05:45 UTC 
Arches or maintainers please stabilize for hppa ASAP. Security will release GLSA for this in 7 days with or without hppa arch being stable.
Comment 9 GLSAMaker/CVETool Bot gentoo-dev 2017-08-17 03:46:47 UTC 
This issue was resolved and addressed in
 GLSA 201708-02 at https://security.gentoo.org/glsa/201708-02
by GLSA coordinator Yury German (BlueKnight).
Comment 10 Yury German Gentoo Infrastructure gentoo-dev 2017-09-03 21:38:46 UTC 
Re-Opening for hppa stabilization (please reference Bug #629554), and cleanup.
Comment 11 Yury German Gentoo Infrastructure gentoo-dev 2017-10-02 04:36:59 UTC 
Slyfox, please stabilize the hppa or drop from stable. 
Holding up security and cleanup.
Comment 12 Sergei Trofimovich (RETIRED) gentoo-dev 2017-10-09 15:16:56 UTC 
hppa stable
Comment 13 Christopher Díaz Riveros (RETIRED) gentoo-dev Security 2017-10-10 00:01:35 UTC 
@Maintainers please proceed with cleanup.

Thank you,

Gentoo Security Padawan
ChrisADR
Comment 14 Eray Aslan gentoo-dev 2017-10-11 06:35:06 UTC 
cleanup done
Comment 15 Christopher Díaz Riveros (RETIRED) gentoo-dev Security 2017-10-11 12:05:31 UTC 
Thank you all,
Comment 16 Larry the Git Cow gentoo-dev 2018-06-16 19:26:49 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=c084b61e87507c04cf8da51d6dfba2831dac47d6

commit c084b61e87507c04cf8da51d6dfba2831dac47d6
Author:     Rolf Eike Beer <eike@sf-mail.de>
AuthorDate: 2018-06-16 19:21:21 +0000
Commit:     Sergei Trofimovich <slyfox@gentoo.org>
CommitDate: 2018-06-16 19:26:24 +0000

    net-mail/tnef: stable 1.4.15 for sparc
    
    Bug: https://bugs.gentoo.org/618658
    Package-Manager: Portage-2.3.24, Repoman-2.3.6
    RepoMan-Options: --include-arches="sparc"

 net-mail/tnef/tnef-1.4.15.ebuild | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)