MingcongBai
commented
6 years ago We are not affected, since we are on the 1.9 branch and Ubuntu's newer branches (whch use the 1.9 branch) are not marked as affected. Marking invalid.
Closed l2dy closed 6 years ago
MingcongBai
commented
6 years ago We are not affected, since we are on the 1.9 branch and Ubuntu's newer branches (whch use the 1.9 branch) are not marked as affected. Marking invalid.
l2dy
commented
6 years ago e.g. CVE-2017-9146
The TNEFFillMapi function in lib/ytnef.c in libytnef in ytnef through 1.9.2 does not ensure a nonzero count value before a certain memory allocation, which allows remote attackers to cause a denial of service (heap-based buffer overflow and application crash) or possibly have unspecified other impact via a crafted tnef file.
MingcongBai
commented
6 years ago Hmm I wonder why Ubuntu didn't even bother. Reopening.
MingcongBai
commented
6 years ago Fixed CVE-2017-9058, CVE-2017-9146, and CVE-2017-12141 with https://github.com/AOSC-Dev/aosc-os-abbs/commit/3bf37178b0ad04437823361596d6a6cb0c98f9a9. Other fixes pending.
MingcongBai
commented
6 years ago @l2dy Please assign an AOSA for the current fixes.
l2dy
commented
6 years ago Use AOSA-2018-0259 for CVE-2017-9058, CVE-2017-9146, CVE-2017-12141.
liushuyu
commented
6 years ago New mitigation measurements: CVE-2017-9471: https://github.com/Yeraze/ytnef/pull/56 CVE-2017-9473: https://github.com/Yeraze/ytnef/pull/57
liushuyu
commented
6 years ago @l2dy Assign AOSA for the fix: f7e1041e56fd2f0138372f384cea6cb47cb45446
l2dy
commented
6 years ago Use AOSA-2018-0276 for CVE-2017-9471, CVE-2017-9473.
Cross-References: USN-3667-1
Hopefully, upstream will release a new version soon.