ytnef: Multiple Vulnerabilities Multiple vulnerabilities have been discovered in ytnef, the worst of which could potentially lead to remote code execution. ytnef 2024-05-08 2024-05-08 774255 remote 2.0 2.0

ytnef is a TNEF stream reader for reading winmail.dat files.

The TNEFSubjectHandler function in lib/ytnef.c allows remote attackers to cause a denial-of-service (and potentially code execution) due to a double free which can be triggered via a crafted file. The SwapWord function in lib/ytnef.c allows remote attackers to cause a denial-of-service (and potentially code execution) due to a heap buffer overflow which can be triggered via a crafted file.

Please review the referenced CVE identifiers for details.

There is no known workaround at this time.

All ytnef users should upgrade to the latest version:

# emerge --sync # emerge --ask --oneshot --verbose ">=net-mail/ytnef-2.0" CVE-2021-3403 CVE-2021-3404 graaff graaff