ytnef:invalid memory read in SwapDWord
ytnef is a program to work with procmail to decode TNEF streams (winmail.dat attachments) like those created with Outlook. Unlike other similar programs, it can also create vCalendar/vCard entries from meeting requests, address cards, and task entries.
An invalid memory read vulnerability was found in function SwapDWord in ytnef.c, which allows attackers to cause a denial of service via a crafted file.
#ytnefprint $FILE ================================================================= SEGV on unknown address 0x000000000008 (pc 0x00000052223d bp 0x7ffcf7d97890 sp 0x7ffcf7d976c0 T0) ==16379==The signal is caused by a READ memory access. ==16379==Hint: address points to the zero page. #0 0x52223c in SwapDWord /home/haojun/Downloads/ytnef-master/lib/ytnef.c:180:26 #1 0x52223c in IsCompressedRTF /home/haojun/Downloads/ytnef-master/lib/ytnef.c:1479 #2 0x52223c in MAPIPrint /home/haojun/Downloads/ytnef-master/lib/ytnef.c:1413 #3 0x5164c2 in PrintTNEF /home/haojun/Downloads/ytnef-master/ytnefprint/main.c:169:5 #4 0x51554a in main /home/haojun/Downloads/ytnef-master/ytnefprint/main.c:84:5 #5 0x7f3f435d4b34 in __libc_start_main /usr/src/debug/glibc-2.17-c758a686/csu/../csu/libc-start.c:274 #6 0x41a8db in _start (/home/haojun/Downloads/ytnef-afl-build/bin/ytnefprint+0x41a8db) SEGV /home/haojun/Downloads/ytnef-master/lib/ytnef.c:180:26 in SwapDWord ==16379==ABORTING
Affected version: 1.9.2
Credit: ADLab of Venustech.
2017-06-08:bug discovered and reported to the ytnef GitHub issue page
2017-07-30:blog post about the issue