+++ This bug was initially created as a clone of Bug #222275 +++ net-nntp/nzbget uses a copy of uulib that is vulnerable to CVE-2008-2266, insecure temporary file creation. I'll attach a patch that fixes the problem, extracted from Perl's Convert-UUlib by Nico Golde.
Created attachment 154789 [details, diff] uulib-CVE-2008-2266.patch
Version 0.3.0 and later of nzbget do not ship uudeview themselves anymore, but allow building against the static library built by uudeview. So a bump would fix this bug. However, this would result in losing support for some encoding formats, or an ugly hack to extract the uudeview sources. Or we could try and build a proper library out of uudeview.
I have an outstanding version bump to 0.4.0. That version has - removed support for uulib-decoder (it did not work well anyway); it its ChangeLog. So, when going to 0.4.0 we can avoid all the hassle of uulib.
OK, 0.4.0 is in the tree. I completely removed the alpha and ppc keywords due to the new dependency on app-arch/libpar2.
Arches, please test and mark stable: =net-nntp/nzbget-0.4.0 Target keywords : "release x86" Furthermore, we need ~ppc and ~alpha.
x86 stable
Keyworded both on alpha.
re-added ~ppc
Fixed in release snapshot.
Ready for vote, I vote YES.
yes too and GLSA request filed.
GLSA 200808-11