[Users] [Bug 3457] broken winmail.dat attachments cause crash

Sat Jul 4 14:12:12 CEST 2015

http://www.thewildbeast.co.uk/claws-mail/bugzilla/show_bug.cgi?id=3457

--- Comment #8 from MD <crxssi at hotmail.com> ---
(In reply to comment #7)
> I took a look at the TNEF parsing code, and unfortunately, the code we have
> from libytnef is apparently written by someone who does not believe in
> possibility of people sending malformed data.

Thanks for looking into it

> I tried to add in some checks to prevent crashing, but after a bit of time,
> I realized I would have to overhaul the entire code, and I do not really
> have time nor motivation to do that.

There was a comment from a Mageia mailing list about security when I was doing
other research.  What they said was that the designer of the plugin integrated
decade-old code from ytnef and it has never been updated.  I wonder if it is
worth looking at the current version of ytnef and seeing if this is already
addressed and could be integrated.

> At this point, I wonder if dropping the tnef_parse plugin wouldn't be a
> better idea, since I can't rule out a possibility of a security hole, via a
> specifically crafted attachment. Instead of a crash, your computer might get
> compromised.

I actually wrote up a large bug report about security and then decided not to
send it because I thought bugzilla was not the proper conduit.  There was a
critical vulnerability in ytnef that could allow just what you said.  They
reported it upstream to Claws and the plugin was quickly patched in GIT.  The
issue I have is that 3.11.1 has been out for over 8 months now and no new
version has been released that contains the patch.  I actually applied the
patch manually (it is just one line of code) in my copy of 3.11.1 but how many
people downloading are going to know about this potential problem?

I can't stress enough how important the tnef plugin is to business users (such
as us).  People can and do send attachments using it, and we have to access
them.  We can't change what others do, but have to deal with their decisions
and my users would have no clue how to deal with tnef without the plugin....
all they would see is "winmail.dat".  I have looked into finding some
alternative and I can't find anything that will not create a nightmare.  I wish
I were a programmer, because I would gladly try to assist with fixing whatever
is an issue.

So now there are three problems, as I see it:

1) A plugin should not cause Claws to crash.  Main claws perhaps has a design
problem with regards to plugins.  (And I still think that is probably worthy of
an additional/different discussion).

2) The tnef plugin can crash.  There is a flaw in the plugin.  At a minimum it
should completely skip parsing something it doesn't understand or something
that generates an internal error, leaving just winmail.dat.

3) Claws needs to be updated to a new numbered version from GIT ASAP to present
a security patch that is already there.

I want to thank all the developers and maintainers of Claws for making such a
great Email client.  All these years and there is nothing that can match it in
so many ways!

-- 
You are receiving this mail because:
You are the assignee for the bug.