Bug#987246: Bug#988504: buster-pu: package tnef/1.4.12-1.2
On Fri, May 14, 2021 at 12:11:59PM +0200, Håvard Flaget Aasen wrote:
> Package: release.debian.org
> Severity: normal
> Tags: buster
> User: release.debian.org@packages.debian.org
> Usertags: pu
> X-Debbugs-Cc: haavard_aasen@yahoo.no
>
> Added patch to fix CVE-2019-18849, bug #944851. The patch is identical
> to that applied in jessie, but I also controlled it against the upstream
> commit, to make sure nothing had changed and everything is included.
>
> [ Reason ]
> Fix: CVE-2019-18849 and bug: #944851
> In tnef before 1.4.18, an attacker may be able to write to the victim's
> .ssh/authorized_keys file via an e-mail message with a crafted
> winmail.dat application/ms-tnef attachment, because of a heap-based
> buffer over-read involving strdup.
>
> [ Impact ]
>
> [ Tests ]
> None, but the original patch is from upstream. This exact patch has also been
> included in jessie since late 2019
>
> [ Risks ]
> I consider the risk to be small since the code has been implemented by
> upstream and has been included in jessie.
>
> [ Checklist ]
> [x] *all* changes are documented in the d/changelog
> [x] I reviewed all changes and I approve them
> [x] attach debdiff against the package in (old)stable
> [x] the issue is verified as fixed in unstable
>
> [ Changes ]
> The changes is to prevent the possibility of not terminating strings with
> strdup()
Thorsten Alteholz already proposed an update for tnef in #987246,
which needs an ack yet from the release team.
Regards,
Salvatore
Reply to: