ytnef:invalid memory read in SwapDWord


ytnef is a program to work with procmail to decode TNEF streams (winmail.dat attachments) like those created with Outlook. Unlike other similar programs, it can also create vCalendar/vCard entries from meeting requests, address cards, and task entries.

An invalid memory read vulnerability was found in function SwapDWord in ytnef.c, which allows attackers to cause a denial of service via a crafted file.

#ytnefprint $FILE
 SEGV on unknown address 0x000000000008 (pc 0x00000052223d bp 0x7ffcf7d97890 sp 0x7ffcf7d976c0 T0)
==16379==The signal is caused by a READ memory access.
==16379==Hint: address points to the zero page.
    #0 0x52223c in SwapDWord /home/haojun/Downloads/ytnef-master/lib/ytnef.c:180:26
    #1 0x52223c in IsCompressedRTF /home/haojun/Downloads/ytnef-master/lib/ytnef.c:1479
    #2 0x52223c in MAPIPrint /home/haojun/Downloads/ytnef-master/lib/ytnef.c:1413
    #3 0x5164c2 in PrintTNEF /home/haojun/Downloads/ytnef-master/ytnefprint/main.c:169:5
    #4 0x51554a in main /home/haojun/Downloads/ytnef-master/ytnefprint/main.c:84:5
    #5 0x7f3f435d4b34 in __libc_start_main /usr/src/debug/glibc-2.17-c758a686/csu/../csu/libc-start.c:274
    #6 0x41a8db in _start (/home/haojun/Downloads/ytnef-afl-build/bin/ytnefprint+0x41a8db)

 SEGV /home/haojun/Downloads/ytnef-master/lib/ytnef.c:180:26 in SwapDWord

Affected version: 1.9.2
Fixed version:N/A
Commit fix:N/A
Credit: ADLab of Venustech.
2017-06-08:bug discovered and reported to the ytnef GitHub issue page
2017-07-30:blog post about the issue



lrzip:stack buffer overflow in get_fileinfo

qpdf:An infinite loop in libqpdf

Poppler:stack buffer overflow in GfxImageColorMap::getGray