Bug#944851: marked as done (tnef: CVE-2019-18849)
Your message dated Sun, 30 May 2021 18:32:08 +0000
with message-id <E1lnQEK-0008u5-LL@fasolo.debian.org>
and subject line Bug#944851: fixed in tnef 1.4.12-1.2+deb10u1
has caused the Debian Bug report #944851,
regarding tnef: CVE-2019-18849
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)
--
944851: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=944851
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: tnef: CVE-2019-18849
- From: Salvatore Bonaccorso <carnil@debian.org>
- Date: Sat, 16 Nov 2019 11:57:19 +0100
- Message-id: <157390183964.234669.1541118579650010964.reportbug@eldamar.local>
Source: tnef
Version: 1.4.12-1.2
Severity: grave
Tags: security upstream
Justification: user security hole
Forwarded: https://github.com/verdammelt/tnef/pull/40
Hi,
The following vulnerability was published for tnef.
CVE-2019-18849[0]:
| In tnef before 1.4.18, an attacker may be able to write to the
| victim's .ssh/authorized_keys file via an e-mail message with a
| crafted winmail.dat application/ms-tnef attachment, because of a heap-
| based buffer over-read involving strdup.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2019-18849
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18849
[1] https://github.com/verdammelt/tnef/pull/40
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: tnef
Source-Version: 1.4.12-1.2+deb10u1
Done: Thorsten Alteholz <debian@alteholz.de>
We believe that the bug you reported is fixed in the latest version of
tnef, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 944851@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Thorsten Alteholz <debian@alteholz.de> (supplier of updated tnef package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sun, 18 Apr 2021 10:03:02 +0200
Source: tnef
Architecture: source
Version: 1.4.12-1.2+deb10u1
Distribution: buster
Urgency: high
Maintainer: Kevin Coyner <kcoyner@debian.org>
Changed-By: Thorsten Alteholz <debian@alteholz.de>
Closes: 944851
Changes:
tnef (1.4.12-1.2+deb10u1) buster; urgency=high
.
* Non-maintainer upload by the LTS Team.
* CVE-2019-18849 (Closes: #944851)
Using emails with a crafted winmail.dat application/ms-tnef attachment
might allow to change .ssh/authorized_keys.
Checksums-Sha1:
7d7990274d1a1ca8eb280af378a4a3991a6b51ad 1916 tnef_1.4.12-1.2+deb10u1.dsc
c87dbb8fe36bcea35b40e10f6805413d635b876b 8104 tnef_1.4.12-1.2+deb10u1.debian.tar.xz
582d3c0e8d418a5267fccec2fdeded4b940eab02 5930 tnef_1.4.12-1.2+deb10u1_amd64.buildinfo
Checksums-Sha256:
4495edb4e94632137f0fbf68e0faa415909958ec4725574d4fb241f95030b7a6 1916 tnef_1.4.12-1.2+deb10u1.dsc
a1df0161216dd0bbd626bc9820053d2d3efa779aa613887b6c99465bb4d2ea80 8104 tnef_1.4.12-1.2+deb10u1.debian.tar.xz
0e7d889652d68e0f8d28261ec44eb043b2e517f578ab76bb73dd48b3a49a4a52 5930 tnef_1.4.12-1.2+deb10u1_amd64.buildinfo
Files:
8bc73ce4f8d962dc923bbdbdfacb6e7f 1916 text optional tnef_1.4.12-1.2+deb10u1.dsc
d6497b47ceddd3466f8815bff97c8dac 8104 text optional tnef_1.4.12-1.2+deb10u1.debian.tar.xz
d818540281cb4ff9a3cd5b74ef032073 5930 text optional tnef_1.4.12-1.2+deb10u1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQKnBAEBCgCRFiEEYgH7/9u94Hgi6ruWlvysDTh7WEcFAmCzSrpfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDYy
MDFGQkZGREJCREUwNzgyMkVBQkI5Njk2RkNBQzBEMzg3QjU4NDcTHGRlYmlhbkBh
bHRlaG9sei5kZQAKCRCW/KwNOHtYRwv2D/9QsGwXSVgeYSrJSXBpkFDRMvbPeiXI
ahASrnEq1ig0dkHh9FX95dZp/BFoHCX0FrYz6PwaTCU7SWWLUkkflT+L49wLsOXS
p4BSoYT5U82MjnzAWp6jka9rosmybCtOKT3sAQ462xmkJHp8eAeICUrOxReqyder
LzlY++nnuIuGOXM0tvFWma8seRi5c8pPMe2NjwKdbcjyWB+88aQn8zzYsAIl7HkQ
1KIPKozaAGInmsN7N593q5reF1w5r15MHyz6t/zbj6cFWxGXJlOvIdgkiRW2L7P1
MPX8b1rB9vNV39OqjvQ7QGa1606Uu0FNV/q4pFuwBps2OlflmE117tkq30c4iJAB
tAl/p98BSntFSJExil1ddwVuENd8Jg4eOwydrH0RGBdpHxe3tXTjKZmNaecmPF+K
ohjsEpNSYAYqV1tbcj93mnGZWJev83bgFZqQ09ESC5k+OubIde9McJK3z7Q1wwFV
3kn4grw1EaPM1ytzJbbDGMBjIV9YdvBcBfwUNRN8uFwQvYylPjFLsMrm1ZP0qgMD
lvtF/hoaISFee3LM2SQYmr+Zi+qAEjDoPSukHPzg+/jkfUR8JZewll2V5KGZfIsL
lkdX706GPKCxbjNkCZU63o6iAsrIaf3ybnGjqXC2i8MWlZg6Lj9Y+MwvtXSNlJPk
xSaejlAliRStOw==
=4IRh
-----END PGP SIGNATURE-----
--- End Message ---
Reply to: