CVE-2019-18849 in Ubuntu

CVE-2019-18849

Priority

Description

In tnef before 1.4.18, an attacker may be able to write to the victim's
.ssh/authorized_keys file via an e-mail message with a crafted winmail.dat
application/ms-tnef attachment, because of a heap-based buffer over-read
involving strdup.

References

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18849
https://github.com/verdammelt/tnef/pull/40
https://github.com/verdammelt/tnef/compare/1.4.17...1.4.18
https://ubuntu.com/security/notices/USN-4524-1

Notes

Package

Source: tnef (LP Ubuntu Debian)

Upstream:	needs-triage
Ubuntu 18.04 LTS:	needed
Ubuntu 20.04 LTS:	not-affected (1.4.18-1)
Ubuntu 21.10:	not-affected (1.4.18-1)
Ubuntu 22.04 LTS:	not-affected (1.4.18-1)
Ubuntu 14.04 ESM:	DNE

Patches:

More Information

Mitre
NVD
Launchpad
Debian

Updated: 2022-04-25 00:38:07 UTC (commit ecc1009cb19540b950de59270950018900f37f15)