{"id":"CVE-2017-6309","details":"An issue was discovered in tnef before 1.4.13. Two type confusions have been identified in the parse_file() function. These might lead to invalid read and write operations, controlled by an attacker.","modified":"2026-04-16T06:22:51.074210650Z","published":"2017-02-24T04:59:00.637Z","references":[{"type":"ADVISORY","url":"http://www.debian.org/security/2017/dsa-3798"},{"type":"ADVISORY","url":"http://www.securityfocus.com/bid/96427"},{"type":"ADVISORY","url":"https://security.gentoo.org/glsa/201708-02"},{"type":"FIX","url":"https://github.com/verdammelt/tnef/blob/master/ChangeLog"},{"type":"FIX","url":"https://github.com/verdammelt/tnef/commit/8dccf79857ceeb7a6d3e42c1e762e7b865d5344d"},{"type":"FIX","url":"https://www.x41-dsec.de/lab/advisories/x41-2017-004-tnef/"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/verdammelt/tnef","events":[{"introduced":"0"},{"last_affected":"99c70157998ff5f3c3e0fd1669c7cffdaaa32048"},{"fixed":"8dccf79857ceeb7a6d3e42c1e762e7b865d5344d"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"1.4.12"}]}}],"versions":["1.4.10","1.4.11","1.4.12","TNEF-1.4.10","TNEF-1.4.11"],"database_specific":{"unresolved_ranges":[{"events":[{"introduced":"0"},{"last_affected":"8.0"}]}],"vanir_signatures_modified":"2026-04-11T04:59:45Z","vanir_signatures":[{"signature_type":"Line","digest":{"threshold":0.9,"line_hashes":["198026675381378598136918978559635950715","197883137458325931566429736762297798740","55569942874643385056030519403425481236","315820125707022736023271826673519098703","184317996038389850484672192953773378205","185285453203974010001543747009674356702","80138880471179500448504686847742226734","118583104950737412050101628815895397609","159019980136055312002084872532628473077","335174517789474268564351573248308841282","196739265562039891779507603759542927473","145465205284422879697832471009261215398","266273557503046323279278437259720171094","162230972970127941688280272217823109658","198924396823051808120438216530619477695","245336452210896202368680760890556705875"]},"deprecated":false,"target":{"file":"src/tnef.c"},"signature_version":"v1","id":"CVE-2017-6309-41fb9249","source":"https://github.com/verdammelt/tnef/commit/8dccf79857ceeb7a6d3e42c1e762e7b865d5344d"},{"deprecated":false,"digest":{"function_hash":"319602346909933704118455433288689047607","length":477},"target":{"file":"src/tnef.c","function":"get_html_data"},"signature_type":"Function","signature_version":"v1","id":"CVE-2017-6309-72677e04","source":"https://github.com/verdammelt/tnef/commit/8dccf79857ceeb7a6d3e42c1e762e7b865d5344d"},{"signature_type":"Function","digest":{"function_hash":"310883956494664830628554080819429850455","length":2259},"deprecated":false,"target":{"file":"src/tnef.c","function":"parse_file"},"signature_version":"v1","id":"CVE-2017-6309-8620f38b","source":"https://github.com/verdammelt/tnef/commit/8dccf79857ceeb7a6d3e42c1e762e7b865d5344d"},{"target":{"file":"src/file.c"},"digest":{"threshold":0.9,"line_hashes":["138151071769226433556075413545005393756","277135416163209951123219148322374609393","126412037363254035877338532476883334812","331374001695761126880190164601914750198","99585233513506211196752181403776154016","314080117118958604106246441226585877142","172483809180712672819741677129296806873","77889792418256651879989494878836407546","213532925311297395984295287185050104659","61778962349337913486931847971946079889","121809170507165259310226444774030796799","101885054850481646565370498312837885335","36113953897462618777792659918891145030","52095504080876854231110348601564875882","157692707517904794838219806960429053206","213513085965865402180640687198932305285","96058814765431795254970051666436839601"]},"signature_type":"Line","deprecated":false,"signature_version":"v1","id":"CVE-2017-6309-878b188d","source":"https://github.com/verdammelt/tnef/commit/8dccf79857ceeb7a6d3e42c1e762e7b865d5344d"},{"target":{"file":"src/file.c","function":"file_add_mapi_attrs"},"digest":{"function_hash":"256870819728380308798399002191052231","length":1190},"signature_type":"Function","deprecated":false,"signature_version":"v1","id":"CVE-2017-6309-bc847a50","source":"https://github.com/verdammelt/tnef/commit/8dccf79857ceeb7a6d3e42c1e762e7b865d5344d"}],"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2017-6309.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}]}