Hey Seth, have a look at the last two comments in the original ticket for the first CVE that was reported: https://github.com/Yeraze/ytnef/issues/45#issuecomment-393044169 . The PR with the proper fix for the CVE mentioned there (https://github.com/Yeraze/ytnef/pull/58) has already been merged by the maintainer. Note it depends on at least one other PR as well.
The person that developed that ytnef PR did so after looking at adding TNEF support to Geary and noticing that ytnef was reasonably broken on some distros, including Ubuntu. Looking into it, it seems those where it is broken shipped the patch from the original CVE. Recently some additional issues have been reported, there's a yet-to-be- merged PR for those as well: https://github.com/Yeraze/ytnef/pull/71 ** Bug watch added: github.com/Yeraze/ytnef/issues #45 https://github.com/Yeraze/ytnef/issues/45 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1666884 Title: libytnef: February 2017 multiple vulnerabilities (X41-2017-002) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libytnef/+bug/1666884/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
