Comment 10 for bug 1666884

Hey Seth, have a look at the last two comments in the original ticket for the first CVE that was reported: https://github.com/Yeraze/ytnef/issues/45#issuecomment-393044169 . The PR with the proper fix for the CVE mentioned there (https://github.com/Yeraze/ytnef/pull/58) has already been merged by the maintainer. Note it depends on at least one other PR as well.

The person that developed that ytnef PR did so after looking at adding TNEF support to Geary and noticing that ytnef was reasonably broken on some distros, including Ubuntu. Looking into it, it seems those where it is broken shipped the patch from the original CVE.

Recently some additional issues have been reported, there's a yet-to-be-merged PR for those as well: https://github.com/Yeraze/ytnef/pull/71