Closed yyyyxf closed 7 years ago
This has been assigned CVE-2017-8911
$ tnef -V
tnef 1.4.15
Copyright (C) 1999-2017 by Mark Simpson
Copyright (C) 1997 by Thomas Boll (original code)
tnef comes with ABSOLUTELY NO WARRANTY.
...
$ tnef -f poc.tnef
tnef: mapi_attr.c:215: mapi_attr_read: Assertion `a->names[i].len != 0' failed.
Aborted (core dumped)
Is the change supposed to still do a core dump ?
Yes. The assertion fails and the application terminates, dumping core. It is not an unexpected core dump such as from memory access problem - but on purpose by using assert
.
OK, thanks for the info. I'll get the Fedora built rpm packages pushes soon.
tnef 1.4.14 tnef -f $file
==11058== Invalid write of size 1 ==11058== at 0x41526B: unicode_to_utf8 (util.c:98) ==11058== by 0x40BC14: mapi_attr_read (mapi_attr.c:215) ==11058== by 0x412BD8: parse_file (tnef.c:305) ==11058== by 0x402433: main (main.c:380)
unsigned char unicode_to_utf8 (size_t len, unsigned char buf) { int i = 0; int j = 0; unsigned char utf8 = malloc (3 len/2 + 1); / won't get any longer than this /
poc.zip