Unsubscribing the Security Sponsors team, please resubscribe when Seth's
comments have been addressed.
Thanks!
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1666884
Title:
libytnef: February 2017 m
** Changed in: libytnef (Ubuntu)
Status: Confirmed => Fix Released
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1666884
Title:
libytnef: February 2017 multiple vulnerabilities (X41-2017-002)
Hi Michael,
What is the version that is causing regression? Right now we are in
1.5-6ubuntu0.2 that address some CVEs and issue 58 (CVE-2017-9058) but
trusty hasn't the ytnefprint.
Would you mind to point us some ways to reproduce this?
Thanks!
--
You received this bug notification because you
Hey Leonidas,
Per this comment:
https://github.com/Yeraze/ytnef/issues/45#issuecomment-392658096, if you
download this example file
https://bugs.mageia.org/attachment.cgi?id=9088, then run a version of
ytnef with the patch from CVE-2017-9058 applied to it (e.g. libytnef0
1.9.2-2), you'll see the f
Hey Michael,
For trusty, that is the only version we have in main, and the one I did
a sec update with CVE-2017-9058 it doesn't support ytnef tool, only the
libytnef0 and current version is 1.5-6ubuntu0.2. It maybe indicates that
trusty was not affected. I'll spend sometime on this later and verif
Apologies for the late reply, I neglected to enable notifications...
No, I just meant that the unpatched Trusty package isn't safe just
because it doesn't contain ytnef/ytnefprint binaries. You have it right,
the single patch you mention will be enough to address CVE-2017-9058. It
should replace t
The remaining CVE's have recently been fixed (or will be once the last
MR lands) in the library's repo. Also, importantly, the one CVE fix that
Ubuntu did ship last year broke the library's normal operation, making
it less than useful for decoding
Resubscribing ubuntu-security-sponsors since while
Hello Michael, do you have a bug report for the regression?
Thanks
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1666884
Title:
libytnef: February 2017 multiple vulnerabilities (X41-2017-002)
To m
Hey Seth, have a look at the last two comments in the original ticket
for the first CVE that was reported:
https://github.com/Yeraze/ytnef/issues/45#issuecomment-393044169 . The
PR with the proper fix for the CVE mentioned there
(https://github.com/Yeraze/ytnef/pull/58) has already been merged by t
** Changed in: libytnef (Ubuntu Yakkety)
Status: Incomplete => Won't Fix
** Changed in: libytnef (Ubuntu Zesty)
Status: Incomplete => Won't Fix
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/b
Hey Leonidas,
Thanks for looking into this. It would be good to see if the updated
fixes can be applied to all currently supported releases, especially
since people are more likely to be running Xenial or Bionic, as well as
Cosmic, so we can rely on it working going forward.
Cheers!
--
You rece
** Changed in: libytnef (Ubuntu)
Status: New => Confirmed
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1666884
Title:
libytnef: February 2017 multiple vulnerabilities (X41-2017-002)
To mana
** Description changed:
http://www.openwall.com/lists/oss-security/2017/02/15/4
https://github.com/Yeraze/ytnef/pull/27/files
- Upstream calls this X41-2017-002 but there will probably be CVE numbers
assigned too.
- https://security-tracker.debian.org/tracker/TEMP-000-8B3E01
+ Upstr
Someone needs to attach updated debdiffs to fix the CVEs, including the
regression fix and the latest round of CVE fixes.
Unsubscribing ubuntu-security-sponsors for now. Please re-subscribe the
team once new debdiffs have been uploaded.
Thanks!
--
You received this bug notification because you
** Changed in: libytnef (Ubuntu)
Importance: Undecided => Medium
** Changed in: libytnef (Ubuntu Trusty)
Importance: Undecided => Medium
** Changed in: libytnef (Ubuntu Xenial)
Importance: Undecided => Medium
** Changed in: libytnef (Ubuntu Yakkety)
Importance: Undecided => Medium
*
Pretty sure this also affects bionic and cosmic
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1666884
Title:
libytnef: February 2017 multiple vulnerabilities (X41-2017-002)
To manage notifications
Hi, I implemented those fixes to libytnef. Yeraze has just released
1.9.3 so I'm interested to see if/when it will make it to Ubuntu, and to
which releases.
The ytnef and ytnefprint binaries just call libytnef, both the wrong and
the right fixes to CVE-2017-9068 are definitely part of the library,
Hi Oliver,
Thanks for the comments...
For trusty I did an update applying:
>From 0eab0e46f4828839a7f7e46e48fc33167377ec0d Mon Sep 17 00:00:00 2001
>
From: Oliver Giles
Date: Wed, 30 May 2018 09:06:02 +0300
Marc, anything else needed to be done here?
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1666884
Title:
libytnef: February 2017 multiple vulnerabilities (X41-2017-002)
To manage notifications abou
I can't actually see the patch in comment #20, I'm getting an encoding
error. Are you seeing something similar?
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1666884
Title:
libytnef: February 2017 m
Ah, my bad. Here it is again.
It's actually just same as for the new version in cosmic. :)
** Patch added: "libytnef_1.9.2-2_1.9.3-1.diff"
https://bugs.launchpad.net/ubuntu/+source/libytnef/+bug/1666884/+attachment/5231869/+files/libytnef_1.9.2-2_1.9.3-1.diff
--
You received this bug notifi
I've got some concerns about this:
$ diffstat !$
diffstat libytnef_1.9.2-2_1.9.3-1.diff
ChangeLog | 16 +++
configure.ac |2
debian/changelog | 24 +
debian/compat |2
debian/control
Re-subscribed ubuntu-security-sponsors - the attached patch fixes the
CVEs.
NB despite the gz filename, it's actually a plain text patch. Apologies.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/16668
Attached patch updates from from 1.9.2 to 1.9.3
** Attachment added: "Patch from 1.9.2 to 1.9.3"
https://bugs.launchpad.net/ubuntu/+source/libytnef/+bug/1666884/+attachment/5227501/+files/libytnef_1.9.2-2_1.9.3-1.diff.gz
--
You received this bug notification because you are a member of Ubunt
Seth, no I didn't, it's just the debdiff taken from the dingo source
package: https://launchpad.net/ubuntu/+source/libytnef/1.9.3-1
I admit this is pretty lazy, but assumed that since it was fine for
dingo it would be fine here.
--
You received this bug notification because you are a member of U
Unsubscribing ubuntu-security-sponsors. Please subscribe the team if new
debdiffs are available.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1666884
Title:
libytnef: February 2017 multiple vulnera
** Patch added: "libytnef-lp1666884-xenial.debdiff"
https://bugs.launchpad.net/ubuntu/+source/libytnef/+bug/1666884/+attachment/4882630/+files/libytnef-lp1666884-xenial.debdiff
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https:
** Tags added: patch trusty xenial yakkety zesty
** Patch added: "libytnef-lp1666884-trusty.debdiff"
https://bugs.launchpad.net/ubuntu/+source/libytnef/+bug/1666884/+attachment/4882629/+files/libytnef-lp1666884-trusty.debdiff
--
You received this bug notification because you are a member of
** Patch added: "libytnef-lp1666884-yakkety.debdiff"
https://bugs.launchpad.net/ubuntu/+source/libytnef/+bug/1666884/+attachment/4882631/+files/libytnef-lp1666884-yakkety.debdiff
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
http
** Patch added: "libytnef-lp1666884-zesty.debdiff"
https://bugs.launchpad.net/ubuntu/+source/libytnef/+bug/1666884/+attachment/4882632/+files/libytnef-lp1666884-zesty.debdiff
** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2017-9058
** Description changed:
http://www.openw
** Description changed:
http://www.openwall.com/lists/oss-security/2017/02/15/4
https://github.com/Yeraze/ytnef/pull/27/files
Upstream calls this X41-2017-002 but a bunch of CVEs have been assigned too.
https://security-tracker.debian.org/tracker/source-package/libytnef
Fixed in
** Changed in: libytnef (Debian)
Status: Unknown => Fix Released
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1666884
Title:
libytnef: February 2017 multiple vulnerabilities (X41-2017-002)
Thanks for the debdiffs! The only change that I made was to the version
used in the Zesty debdiff. I changed 1.9.2-1ubuntu0.17.04 to
1.9.2-1ubuntu0.1 as suggested here:
https://wiki.ubuntu.com/SecurityTeam/UpdatePreparation#Update_the_packaging
I've uploaded the packages to ppa:ubuntu-security-pr
The testing for the Trusty update did not go as expected. The test case
linked to from https://bugs.debian.org/cgi-
bin/bugreport.cgi?bug=862556#5 crashes Evolution the same way with and
without the updated libytnef0 package.
Testing on Trusty isn't straightforward because Evolution's handling of
34 matches
Mail list logo
