Comment 1 GLSAMaker/CVETool Bot 2017-03-02 18:20:39 UTC

CVE-2017-6309 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-6309):
  An issue was discovered in tnef before 1.4.13. Two type confusions have been
  identified in the parse_file() function. These might lead to invalid read
  and write operations, controlled by an attacker.

CVE-2017-6308 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-6308):
  An issue was discovered in tnef before 1.4.13. Several Integer Overflows,
  which can lead to Heap Overflows, have been identified in the functions that
  wrap memory allocation.

CVE-2017-6307 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-6307):
  An issue was discovered in tnef before 1.4.13. Two OOB Writes have been
  identified in src/mapi_attr.c:mapi_attr_read(). These might lead to invalid
  read and write operations, controlled by an attacker.

Comment 2 GLSAMaker/CVETool Bot 2017-03-02 18:23:11 UTC

CVE-2017-6310 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-6310):
  An issue was discovered in tnef before 1.4.13. Four type confusions have
  been identified in the file_add_mapi_attrs() function. These might lead to
  invalid read and write operations, controlled by an attacker.

Comment 3 GLSAMaker/CVETool Bot 2017-03-02 18:23:16 UTC

CVE-2017-6310 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-6310):
  An issue was discovered in tnef before 1.4.13. Four type confusions have
  been identified in the file_add_mapi_attrs() function. These might lead to
  invalid read and write operations, controlled by an attacker.

Comment 4 GLSAMaker/CVETool Bot 2017-03-02 18:25:31 UTC

CVE-2017-6310 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-6310):
  An issue was discovered in tnef before 1.4.13. Four type confusions have
  been identified in the file_add_mapi_attrs() function. These might lead to
  invalid read and write operations, controlled by an attacker.

Comment 5 Thomas Deutschmann (RETIRED) 2017-03-02 18:25:52 UTC

@ Maintainer(s): Please bump to >=net-mail/tnef-1.4.13 and tell us if the new ebuild is already ready for stabilization.

Comment 6 Eray Aslan 2017-05-04 08:15:26 UTC

Arches, please test and mark stable
=net-mail/tnef-1.4.14

Target Keywords = amd64 hppa ppc ppc64 ~sparc x86

Comment 7 Agostino Sarubbo 2017-05-04 13:07:42 UTC

amd64 stable

Comment 8 Jeroen Roovers (RETIRED) 2017-05-04 15:45:02 UTC

Stable for HPPA.

Comment 9 Agostino Sarubbo 2017-05-04 15:56:01 UTC

x86 stable

Comment 10 Michael Weber (RETIRED) 2017-05-13 20:54:08 UTC

ppc ppc64 stable, all arches done.

Comment 11 Yury German 2017-05-21 07:12:20 UTC

Arches, Thank you for your work.
New GLSA Request filed.

Maintainer(s), please drop the vulnerable version(s).

Comment 12 Yury German 2017-06-22 01:31:18 UTC

Maintainer(s), please drop the vulnerable version(s).

Comment 13 Eray Aslan 2017-06-23 06:30:20 UTC

net-mail/tnef/tnef-1.4.12 punted from the tree.  FYI: net-mail/tnef/tnef-1.4.14 is itself vulnerable.  See #618658

Comment 14 Thomas Deutschmann (RETIRED) 2017-06-23 10:22:25 UTC

(In reply to Eray Aslan from comment #13)
> net-mail/tnef/tnef-1.4.12 punted from the tree.  FYI:
> net-mail/tnef/tnef-1.4.14 is itself vulnerable.  See #618658

Thanks for cleanup and letting us know. We are already tracking this in the GLSA.

Comment 15 GLSAMaker/CVETool Bot 2017-08-17 03:46:38 UTC

This issue was resolved and addressed in
 GLSA 201708-02 at https://security.gentoo.org/glsa/201708-02
by GLSA coordinator Yury German (BlueKnight).