Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 611426 (CVE-2017-6307, CVE-2017-6308, CVE-2017-6309, CVE-2017-6310) - <net-mail/tnef-1.4.14: multiple vulnerabilities
Summary: <net-mail/tnef-1.4.14: multiple vulnerabilities
Status: RESOLVED FIXED
Alias: CVE-2017-6307, CVE-2017-6308, CVE-2017-6309, CVE-2017-6310
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: https://www.x41-dsec.de/lab/advisorie...
Whiteboard: B2 [glsa cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2017-03-02 18:19 UTC by Thomas Deutschmann
Modified: 2017-08-17 03:46 UTC (History)
1 user (show)

See Also:
Package list:
=net-mail/tnef-1.4.14
Runtime testing required: ---
stable-bot: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Thomas Deutschmann (RETIRED) gentoo-dev 2017-03-02 18:19:14 UTC
Incoming details.
Comment 1 GLSAMaker/CVETool Bot gentoo-dev 2017-03-02 18:20:39 UTC
CVE-2017-6309 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-6309):
  An issue was discovered in tnef before 1.4.13. Two type confusions have been
  identified in the parse_file() function. These might lead to invalid read
  and write operations, controlled by an attacker.

CVE-2017-6308 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-6308):
  An issue was discovered in tnef before 1.4.13. Several Integer Overflows,
  which can lead to Heap Overflows, have been identified in the functions that
  wrap memory allocation.

CVE-2017-6307 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-6307):
  An issue was discovered in tnef before 1.4.13. Two OOB Writes have been
  identified in src/mapi_attr.c:mapi_attr_read(). These might lead to invalid
  read and write operations, controlled by an attacker.
Comment 2 GLSAMaker/CVETool Bot gentoo-dev 2017-03-02 18:23:11 UTC
CVE-2017-6310 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-6310):
  An issue was discovered in tnef before 1.4.13. Four type confusions have
  been identified in the file_add_mapi_attrs() function. These might lead to
  invalid read and write operations, controlled by an attacker.
Comment 3 GLSAMaker/CVETool Bot gentoo-dev 2017-03-02 18:23:16 UTC
CVE-2017-6310 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-6310):
  An issue was discovered in tnef before 1.4.13. Four type confusions have
  been identified in the file_add_mapi_attrs() function. These might lead to
  invalid read and write operations, controlled by an attacker.
Comment 4 GLSAMaker/CVETool Bot gentoo-dev 2017-03-02 18:25:31 UTC
CVE-2017-6310 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-6310):
  An issue was discovered in tnef before 1.4.13. Four type confusions have
  been identified in the file_add_mapi_attrs() function. These might lead to
  invalid read and write operations, controlled by an attacker.
Comment 5 Thomas Deutschmann (RETIRED) gentoo-dev 2017-03-02 18:25:52 UTC
@ Maintainer(s): Please bump to >=net-mail/tnef-1.4.13 and tell us if the new ebuild is already ready for stabilization.
Comment 6 Eray Aslan gentoo-dev 2017-05-04 08:15:26 UTC
Arches, please test and mark stable
=net-mail/tnef-1.4.14

Target Keywords = amd64 hppa ppc ppc64 ~sparc x86
Comment 7 Agostino Sarubbo gentoo-dev 2017-05-04 13:07:42 UTC
amd64 stable
Comment 8 Jeroen Roovers (RETIRED) gentoo-dev 2017-05-04 15:45:02 UTC
Stable for HPPA.
Comment 9 Agostino Sarubbo gentoo-dev 2017-05-04 15:56:01 UTC
x86 stable
Comment 10 Michael Weber (RETIRED) gentoo-dev 2017-05-13 20:54:08 UTC
ppc ppc64 stable, all arches done.
Comment 11 Yury German Gentoo Infrastructure gentoo-dev 2017-05-21 07:12:20 UTC
Arches, Thank you for your work.
New GLSA Request filed.

Maintainer(s), please drop the vulnerable version(s).
Comment 12 Yury German Gentoo Infrastructure gentoo-dev 2017-06-22 01:31:18 UTC
Maintainer(s), please drop the vulnerable version(s).
Comment 13 Eray Aslan gentoo-dev 2017-06-23 06:30:20 UTC
net-mail/tnef/tnef-1.4.12 punted from the tree.  FYI: net-mail/tnef/tnef-1.4.14 is itself vulnerable.  See #618658
Comment 14 Thomas Deutschmann (RETIRED) gentoo-dev 2017-06-23 10:22:25 UTC
(In reply to Eray Aslan from comment #13)
> net-mail/tnef/tnef-1.4.12 punted from the tree.  FYI:
> net-mail/tnef/tnef-1.4.14 is itself vulnerable.  See #618658

Thanks for cleanup and letting us know. We are already tracking this in the GLSA.
Comment 15 GLSAMaker/CVETool Bot gentoo-dev 2017-08-17 03:46:38 UTC
This issue was resolved and addressed in
 GLSA 201708-02 at https://security.gentoo.org/glsa/201708-02
by GLSA coordinator Yury German (BlueKnight).