Apologies for the late reply, I neglected to enable notifications... No, I just meant that the unpatched Trusty package isn't safe just because it doesn't contain ytnef/ytnefprint binaries. You have it right, the single patch you mention will be enough to address CVE-2017-9058. It should replace this patch[1]. That will at least restore correct behaviour to the library.
However, this bugreport mentions several vulnerabilites, and the patch only covers CVE-2017-9058. As you can see on the github releases page[2], there have been many CVEs addressed in the past few releases. I don't know how feasible this is but if possible I highly recommend upgrading to 1.9.3. [1] https://sources.debian.org/patches/libytnef/1.9.2-2/CVE-2017-9058.patch/ [2] https://github.com/Yeraze/ytnef/releases -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1666884 Title: libytnef: February 2017 multiple vulnerabilities (X41-2017-002) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libytnef/+bug/1666884/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
