COMMAND

    tnef

SYSTEMS AFFECTED

    tnef < 0-124

PROBLEM

    Tnef extracts eMails compressed  with MS-Outlook.  The  compressed
    file includes the path name to which the decompressed data  should
    be written.

    By specifing a path name like /etc/passwd and sending a compressed
    mail  to  root  an  adversary  could  gain remote root access to a
    system by overwriting the local password database.  The same could
    happen if a mail virus scanner, like AMaVIS, process' a  malicious
    mail.

    TNEF  support  was  added  to  AMaViS 0.2.0-pre6-clm-rl-8-20000604
    (previous versions are therefore *not* affected), but AMaViS  does
    not run as root  when used with qmail,  exim and postfix.   AMaViS
    is run as root, when used  with sendmail and AMaViS is called  via
    Mlocal.  AMaViS may not run  as root, when used with sendmail  and
    the new relay scanning setup for AMaViS (--enable-relay).

SOLUTION

    It's also possible to use the  '-x' option of tnef to specify  the
    outputfile.

    For SuSE Linux:

        ftp://ftp.suse.com/pub/suse/axp/update/6.3/ap1/tnef-0-124.alpha.rpm
        ftp://ftp.suse.com/pub/suse/axp/update/6.3/zq1/tnef-0-124.src.rpm
        
        ftp://ftp.suse.com/pub/suse/axp/update/6.4/ap1/tnef-0-124.alpha.rpm
        ftp://ftp.suse.com/pub/suse/axp/update/6.4/zq1/tnef-0-124.src.rpm
        
        
        ftp://ftp.suse.com/pub/suse/i386/update/6.3/ap1/tnef-0-124.i386.rpm
        ftp://ftp.suse.com/pub/suse/i386/update/6.3/zq1/tnef-0-124.src.rpm
        
        ftp://ftp.suse.com/pub/suse/i386/update/6.4/ap1/tnef-0-124.i386.rpm
        ftp://ftp.suse.com/pub/suse/i386/update/6.4/zq1/tnef-0-124.src.rpm
        
        
        ftp://ftp.suse.com/pub/suse/ppc/update/6.3/ap1/tnef-0-124.ppc.rpm
        ftp://ftp.suse.com/pub/suse/ppc/update/6.3/zq1/tnef-0-124.src.rpm
        
        ftp://ftp.suse.com/pub/suse/ppc/update/6.4/ap1/tnef-0-124.ppc.rpm
        ftp://ftp.suse.com/pub/suse/ppc/update/6.4/zq1/tnef-0-124.src.rpm

    A  fix  for  this  possible  security  hole was provided in AMaViS
    0.2.0-pre6-clm-rl-8-20000704. It's available at

        http://sourceforge.net/projects/amavis
        http://cvsweb.amavis.org/
        http://www.computer-networking.de/~link/security/amavis-patch.php3#latest_sources

    It  is  recommended  to  use  Mark  Simpson's  TNEF which does not
    suffer from this security problem, as it supportes the -d flag  to
    extract files to a specific directory.