SB2017101229 - Fedora EPEL 6 update for tnef

Description

This security bulletin contains information about 5 secuirty vulnerabilities.

1) Integer underflow (CVE-ID: CVE-2017-8911)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to integer underflow in the unicode_to_utf8() function in tnef 1.4.14. A remote attacker can execute arbitrary code on the target system.

2) Out-of-bounds write (CVE-ID: CVE-2017-6307)

The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.

An issue was discovered in tnef before 1.4.13. Two OOB Writes have been identified in src/mapi_attr.c:mapi_attr_read(). These might lead to invalid read and write operations, controlled by an attacker.

3) Integer overflow (CVE-ID: CVE-2017-6308)

The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.

An issue was discovered in tnef before 1.4.13. Several Integer Overflows, which can lead to Heap Overflows, have been identified in the functions that wrap memory allocation.

4) Out-of-bounds read (CVE-ID: CVE-2017-6309)

The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.

An issue was discovered in tnef before 1.4.13. Two type confusions have been identified in the parse_file() function. These might lead to invalid read and write operations, controlled by an attacker.

5) Out-of-bounds read (CVE-ID: CVE-2017-6310)

The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.

An issue was discovered in tnef before 1.4.13. Four type confusions have been identified in the file_add_mapi_attrs() function. These might lead to invalid read and write operations, controlled by an attacker.

Remediation

Install update from vendor's website.

References

• https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2017-0177a71c41