Processing of libytnef_1.9.2-2_amd64.changes
libytnef_1.9.2-2_amd64.changes uploaded successfully to localhost along with the files: libytnef_1.9.2-2.dsc libytnef_1.9.2-2.debian.tar.xz libytnef0-dbgsym_1.9.2-2_amd64.deb libytnef0-dev_1.9.2-2_amd64.deb libytnef0_1.9.2-2_amd64.deb libytnef_1.9.2-2_amd64.buildinfo ytnef-tools-dbgsym_1.9.2-2_amd64.deb ytnef-tools_1.9.2-2_amd64.deb Greetings, Your Debian queue daemon (running on host usper.debian.org)
libytnef_1.9.2-2_amd64.changes ACCEPTED into unstable
Accepted: -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Format: 1.8 Date: Mon, 22 May 2017 23:51:52 +0200 Source: libytnef Binary: libytnef0 libytnef0-dev ytnef-tools Architecture: source amd64 Version: 1.9.2-2 Distribution: unstable Urgency: medium Maintainer: Debian QA Group Changed-By: Jordi Mallach Description: libytnef0 - improved decoder for application/ms-tnef attachments libytnef0-dev - headers for application/ms-tnef attachments decoder ytnef-tools - ytnef decoder commandline tools Closes: 862556 Changes: libytnef (1.9.2-2) unstable; urgency=medium . * Add CVE information to previous changelog entry. * Add CVE-2017-9058.patch: Fix a heap buffer overflow in SIZECHECK macro (closes: #862556). Checksums-Sha1: b4d233b9302c976f28185e2503eb383fcc7dea94 1950 libytnef_1.9.2-2.dsc bfe7827a79fc6a5e1260c847088a7dea735e881b 4628 libytnef_1.9.2-2.debian.tar.xz 72b47158560736cea511cb1a30147a6046c1d09f 29166 libytnef0-dbgsym_1.9.2-2_amd64.deb e819f959c89191e23f414cbead00c0f39f7bda1c 31370 libytnef0-dev_1.9.2-2_amd64.deb b732f318b482e11a64641fb19e0f6eb4a5ec318e 24866 libytnef0_1.9.2-2_amd64.deb 990f6e2d6ce2a58cc320449f2881bbe72ab8bdd1 6534 libytnef_1.9.2-2_amd64.buildinfo cc9a3be334d3ced5982b801b0f80a8faf303e52c 31980 ytnef-tools-dbgsym_1.9.2-2_amd64.deb 2b22b220a75369b234910aaf7f53edfafadc08f9 20548 ytnef-tools_1.9.2-2_amd64.deb Checksums-Sha256: 0c2ec01a02ff8f91d32274a84a2bf26764ef803d51aa2b2182ce497385fcd7ff 1950 libytnef_1.9.2-2.dsc a06aaf2c2825ac4c44616789bf7228540c54073a10df30dbe9b218d58053598f 4628 libytnef_1.9.2-2.debian.tar.xz 562c1f42323df3bbb7277f9037de0f2ad98bc64ac7282dec69af0c351f5841f0 29166 libytnef0-dbgsym_1.9.2-2_amd64.deb 0304c5265f2dff1fe7ff578fb1f79f19dfe5091640fcac47763228632cd9d8a2 31370 libytnef0-dev_1.9.2-2_amd64.deb b13456240527b60901d943ab4dcd5c038df8b8a72b72c88ce9b7079227114c7d 24866 libytnef0_1.9.2-2_amd64.deb 66c93f0576b54d83c876225f33aadf1838b16f552cdf162e70cb903856a13cc6 6534 libytnef_1.9.2-2_amd64.buildinfo 65aca82ac362cc5b555dde24aa4667183851565803db6223c4326326ecf947b0 31980 ytnef-tools-dbgsym_1.9.2-2_amd64.deb 222a4531b08d5fc0e43216dee2f2b26c98268cb225deb35a735d6c8011f4cebf 20548 ytnef-tools_1.9.2-2_amd64.deb Files: 2249def91c97a2065318f76e21899e84 1950 utils extra libytnef_1.9.2-2.dsc 8687934ec21061787b84098092fae3f3 4628 utils extra libytnef_1.9.2-2.debian.tar.xz 72d4a4d39975e34345a37f591c28c90d 29166 debug extra libytnef0-dbgsym_1.9.2-2_amd64.deb 9c49b3d506b70c806ae07dcc70e08c94 31370 libdevel extra libytnef0-dev_1.9.2-2_amd64.deb e9a5c9885687ebd257e4cd5d33e369c5 24866 libs extra libytnef0_1.9.2-2_amd64.deb 96e25d14e46dfddd8ff561dfc8197282 6534 utils extra libytnef_1.9.2-2_amd64.buildinfo 85c8865ceff2df5b7262a4ae4093f381 31980 debug extra ytnef-tools-dbgsym_1.9.2-2_amd64.deb 7cca14ef47ab4fd4f401b8b2a483e54e 20548 utils extra ytnef-tools_1.9.2-2_amd64.deb -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEE6BdUhsApKYN8KGoWJVAvb8vjywQFAlkjXjwACgkQJVAvb8vj ywSmSxAAov7E+yqUQ7ZCXgNk720ttqDBIs/IQUKaON+O9mC5g+SYQhL0Wr2VNiwA Jk41+napkakyUd0zSqEj9i9lXkrhsCBJ3tLs4ln0MAMmSWiv8pAbjQmsWSrwXfYO rSdH9OQ2Xx7VJf7DSNGbytFAJiLdrV0Fv1H4It4stcGQh86Cw6lOG/D1lZI3Uvxm o2gF3wQh1ila65wrqoc0vhj/bbNQ+YOTuhuAgE/a3GGnVBAtwD3EzSj+M1vu9Uld 3C02yCU9GbzE2dW0T+EO/fcolSxwGxRnzgRBWukiVNUc4tXlfzDs0rwCGERVvyo+ qq7E8mVqLyJH1ciHr2JVYaYP7Wn8XTnKdPLrzZStQXCWwl791Vj6FzD5jR7h/5O1 XtDLEm59yma6w8G2L5DPoLZP66FwHTzfHag7aVF6MJ+8Lgu3XuOzUG6PM6Y2X3QN bKwIyMQmIWRT/CODKL0gSWbOaMeIxOqwD0Q0jKeL+KeXLZypI2eLyWkYFmqqJKS9 o1Yp3gDwabfSgCr/xuN+PoWm1QiPPcc6FhwuMHxbpDyEmOrmaVTWVtUC5G2Bo7PJ 4bYhEuVSR9v7P0Zg/+mQMqHjqR4yY3axAIEOt9C1oJfuSmJenLnWCA+hdJLrQJWt T1XGTAUZTLxMh+Df64sNH17oa8OHvVQ5YrEQFLhqdzFRtZ+LTaw= =Ak1m -END PGP SIGNATURE- Thank you for your contribution to Debian.
Bug#862556: marked as done (CVE-2017-9058: Heap-based buffer overflow due to incorrect boundary checking)
Your message dated Wed, 24 May 2017 09:05:44 +
with message-id
and subject line Bug#862556: fixed in libytnef 1.9.2-2
has caused the Debian Bug report #862556,
regarding CVE-2017-9058: Heap-based buffer overflow due to incorrect boundary
checking
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
862556: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=862556
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: libytnef
Version: 1.5-6+deb8u1
Severity: normal
Tags: security
Hi,
We found a heap-buffer-overflow vulnerability in the libytnef.
This affects both 1.5-6+deb8u1 and 1.9.1 .
The cause is an incorrect boundary checking in SIZECHCK macro in
lib/ytnef.c:39
-- #define SIZECHECK(x) { if char *)d - (char *)data) + x) > size) {
printf("Corrupted file detected at %s : %i\n", __FILE__, __LINE__);
return(-1); } }
++ #define SIZECHECK(x) { if char *)d - (char *)data) + x) >= size) {
printf("Corrupted file detected at %s : %i\n", __FILE__, __LINE__);
return(-1); } }
To verify this, use the testcase from:
https://github.com/bingosxs/fuzzdata/blob/master/ytnef-1.9/TNEFFreeMapiProps-Invalid-read.tnef?raw=true
run the sample with command:
ytnef/.libs/ytnef -v @@
The tracelog is:
=
==15221==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x6020ef90 at pc 0x7f7f8986e69f bp 0x7ffe3fc1b820 sp 0x7ffe3fc1b818
READ of size 4 at 0x6020ef90 thread T0
#0 0x7f7f8986e69e in SwapDWord
/home/canicula/afl/test/libytnef0/libytnef-1.5.x/ytnef.c:136:12
#1 0x7f7f8986e69e in TNEFPriority
/home/canicula/afl/test/libytnef0/libytnef-1.5.x/ytnef.c:670
#2 0x7f7f8987ac87 in TNEFParse
/home/canicula/afl/test/libytnef0/libytnef-1.5.x/ytnef.c:1076:29
#3 0x7f7f8987997f in TNEFParseFile
/home/canicula/afl/test/libytnef0/libytnef-1.5.x/ytnef.c:936:12
#4 0x4ea71b in main /home/canicula/afl/test/ytnef.0/ytnef/main.c:125:9
#5 0x7f7f8897782f in __libc_start_main
/build/glibc-9tT8Do/glibc-2.23/csu/../csu/libc-start.c:291
#6 0x418bd8 in _start
(/data/canicula/afl/test/ytnef.0/ytnef/.libs/ytnef+0x418bd8)
0x6020ef92 is located 0 bytes to the right of 2-byte region
[0x6020ef90,0x6020ef92)
allocated by thread T0 here:
#0 0x4b8e90 in calloc
(/data/canicula/afl/test/ytnef.0/ytnef/.libs/ytnef+0x4b8e90)
#1 0x7f7f8987a29d in TNEFParse
/home/canicula/afl/test/libytnef0/libytnef-1.5.x/ytnef.c:1046:20
#2 0x7f7f8987997f in TNEFParseFile
/home/canicula/afl/test/libytnef0/libytnef-1.5.x/ytnef.c:936:12
#3 0x4ea71b in main /home/canicula/afl/test/ytnef.0/ytnef/main.c:125:9
#4 0x7f7f8897782f in __libc_start_main
/build/glibc-9tT8Do/glibc-2.23/csu/../csu/libc-start.c:291
SUMMARY: AddressSanitizer: heap-buffer-overflow
/home/canicula/afl/test/libytnef0/libytnef-1.5.x/ytnef.c:136:12 in SwapDWord
Shadow bytes around the buggy address:
0x0c047fff9da0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9db0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9dc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9dd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9de0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c047fff9df0: fa fa[02]fa fa fa 00 fa fa fa fd fa fa fa fd fa
0x0c047fff9e00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9e10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9e20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9e30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9e40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user:f7
Container overflow: fc
Array cookie:ac
Intra object redzone:bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone:cb
==15221==ABORTING--- End Message ---
--- Begin Message ---
Source: libytnef
Source-Version: 1.9.2-2
We believe that the bug you reported is fixed in the latest version of
libytnef, which is due to be installed in the Debia
Processed: usrmerge is not yet ready for a stable release
Processing control commands: > block -1 by 860523 810158 759410 837928 Bug #863269 [usrmerge] usrmerge is not yet ready for a stable release 863269 was not blocked by any bugs. 863269 was not blocking any bugs. Added blocking bug(s) of 863269: 837928, 860523, 759410, and 810158 -- 863269: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=863269 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
