On Fri, May 14, 2021 at 12:11:59PM +0200, HÃ¥vard Flaget Aasen wrote: > Package: release.debian.org > Severity: normal > Tags: buster > User: [email protected] > Usertags: pu > X-Debbugs-Cc: [email protected] > > Added patch to fix CVE-2019-18849, bug #944851. The patch is identical > to that applied in jessie, but I also controlled it against the upstream > commit, to make sure nothing had changed and everything is included. > > [ Reason ] > Fix: CVE-2019-18849 and bug: #944851 > In tnef before 1.4.18, an attacker may be able to write to the victim's > .ssh/authorized_keys file via an e-mail message with a crafted > winmail.dat application/ms-tnef attachment, because of a heap-based > buffer over-read involving strdup. > > [ Impact ] > > [ Tests ] > None, but the original patch is from upstream. This exact patch has also been > included in jessie since late 2019 > > [ Risks ] > I consider the risk to be small since the code has been implemented by > upstream and has been included in jessie. > > [ Checklist ] > [x] *all* changes are documented in the d/changelog > [x] I reviewed all changes and I approve them > [x] attach debdiff against the package in (old)stable > [x] the issue is verified as fixed in unstable > > [ Changes ] > The changes is to prevent the possibility of not terminating strings with > strdup()
Thorsten Alteholz already proposed an update for tnef in #987246, which needs an ack yet from the release team. Regards, Salvatore
