tnef (1.4.9-1+deb8u2build0.14.04.1) trusty-security; urgency=medium
* fake sync from Debian
tnef (1.4.9-1+deb8u2) jessie-security; urgency=high
* Non-maintainer upload by the Wheezy LTS Team.
* while fixing the CVEs, upstream introduced a regression
fix-regression-1.patch and fix-regression-2.patch take care of
that (Closes: #857342)
tnef (1.4.9-1+deb8u1) jessie-security; urgency=high
* Non-maintainer upload by the Wheezy LTS Team. (Closes: #856117)
* CVE-2017-6307
An issue was discovered in tnef before 1.4.13. Two OOB Writes have
been identified in src/mapi_attr.c:mapi_attr_read(). These might
lead to invalid read and write operations, controlled by an attacker.
* CVE-2017-6308
An issue was discovered in tnef before 1.4.13. Several Integer
Overflows, which can lead to Heap Overflows, have been identified
in the functions that wrap memory allocation.
* CVE-2017-6309
An issue was discovered in tnef before 1.4.13. Two type confusions
have been identified in the parse_file() function. These might lead
to invalid read and write operations, controlled by an attacker.
* CVE-2017-6310
An issue was discovered in tnef before 1.4.13. Four type confusions
have been identified in the file_add_mapi_attrs() function.
These might lead to invalid read and write operations, controlled
by an attacker.
-- Tyler Hicks <email address hidden> Mon, 17 Apr 2017 15:41:04 +0000