Bug 10336

Summary: tnef security update CVE-2019-18849
Product: [ROSA-based products] ROSA Fresh Reporter: Zombie Ryushu <zombie.ryushu>
Component: Packages from MainAssignee: ROSA Linux Bugs <bugs>
Status: CONFIRMED --- QA Contact: ROSA Linux Bugs <bugs>
Severity: normal    
Priority: Normal CC: alzim, andrey.bondrov, denis.silakov, mc2374
Version: All   
Target Milestone: ---   
Hardware: All   
OS: Linux   
URL: https://linuxsecurity.com/advisories/deblts/debian-lts-dla-2005-1-tnef-security-update-15-19-18
Whiteboard:
Platform: --- ROSA Vulnerability identifier: CVE-2019-18849
RPM Package: tnef ISO-related:
Bad POT generating: Upstream:

Description Zombie Ryushu 2019-11-29 23:36:51 MSK 
Package        : tnef
Version        : 1.4.9-1+deb8u4
CVE ID         : CVE-2019-18849
Debian Bug     : 944851


In tnef, an attacker may be able to write to the victim's
.ssh/authorized_keys file via an e-mail message with a crafted
winmail.dat application/ms-tnef attachment, because of a heap-based
buffer over-read involving strdup.

For Debian 8 "Jessie", this problem has been fixed in version
1.4.9-1+deb8u4.

We recommend that you upgrade your tnef packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS


-- 

mike gabriel aka sunweaver (Debian Developer)
fon: +49 (1520) 1976 148

GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22  0782 9AF4 6B30 2577 1B31
mail: sunweaver@debian.org, http://sunweavers.net