Subject: [ASA-201708-10] libytnef: arbitrary code execution Arch Linux Security Advisory ASA-201708-10 ========================================== Severity: High Date : 2017-08-14 CVE-ID : CVE-2017-9058 Package : libytnef Type : arbitrary code execution Remote : Yes Link : https://security.archlinux.org/AVG-275 Summary ======= The package libytnef before version 1.9.2-2 is vulnerable to arbitrary code execution. Resolution ========== Upgrade to 1.9.2-2. # pacman -Syu "libytnef>=1.9.2-2" The problem has been fixed upstream but no release is available yet. Workaround ========== None. Description =========== A heap-buffer-overflow vulnerability has been found in the libytnef in the lib/ytnef.c module. Impact ====== A remote attacker can execute arbitrary code on the affected host via a crafted tnef file. References ========== https://github.com/bingosxs/fuzzdata/blob/master/ytnef-1.9/TNEFFreeMapiProps-Invalid-read.tnef?raw=true https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=862556 https://security.archlinux.org/CVE-2017-9058