Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 224193 (CVE-2008-2266) - net-nntp/nzbget <0.4.0 uulib Insecure Temporary File Creation (CVE-2008-2266)
Summary: net-nntp/nzbget <0.4.0 uulib Insecure Temporary File Creation (CVE-2008-2266)
Status: RESOLVED FIXED
Alias: CVE-2008-2266
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High minor (vote)
Assignee: Gentoo Security
URL: http://secunia.com/advisories/30171/
Whiteboard: B3 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2008-05-30 05:58 UTC by Robert Buchholz (RETIRED)
Modified: 2008-08-11 18:47 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments
uulib-CVE-2008-2266.patch (uulib-CVE-2008-2266.patch,3.12 KB, patch)
2008-05-30 05:59 UTC, Robert Buchholz (RETIRED)
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Robert Buchholz (RETIRED) gentoo-dev 2008-05-30 05:58:13 UTC
+++ This bug was initially created as a clone of Bug #222275 +++

net-nntp/nzbget uses a copy of uulib that is vulnerable to CVE-2008-2266, insecure temporary file creation. I'll attach a patch that fixes the problem, extracted from Perl's Convert-UUlib by Nico Golde.
Comment 1 Robert Buchholz (RETIRED) gentoo-dev 2008-05-30 05:59:48 UTC
Created attachment 154789 [details, diff]
uulib-CVE-2008-2266.patch
Comment 2 Robert Buchholz (RETIRED) gentoo-dev 2008-05-30 06:15:47 UTC
Version 0.3.0 and later of nzbget do not ship uudeview themselves anymore, but allow building against the static library built by uudeview. So a bump would fix this bug. However, this would result in losing support for some encoding formats, or an ugly hack to extract the uudeview sources.
Or we could try and build a proper library out of uudeview.
Comment 3 Sven Wegener gentoo-dev 2008-05-30 21:50:08 UTC
I have an outstanding version bump to 0.4.0. That version has

  - removed support for uulib-decoder (it did not work well anyway);

it its ChangeLog. So, when going to 0.4.0 we can avoid all the hassle of uulib.
Comment 4 Sven Wegener gentoo-dev 2008-05-30 22:02:35 UTC
OK, 0.4.0 is in the tree. I completely removed the alpha and ppc keywords due to the new dependency on app-arch/libpar2.
Comment 5 Robert Buchholz (RETIRED) gentoo-dev 2008-05-31 08:04:33 UTC
Arches, please test and mark stable:
=net-nntp/nzbget-0.4.0
Target keywords : "release x86"

Furthermore, we need ~ppc and ~alpha.
Comment 6 Christian Faulhammer (RETIRED) gentoo-dev 2008-05-31 13:55:02 UTC
x86 stable
Comment 7 Tobias Klausmann (RETIRED) gentoo-dev 2008-06-04 18:43:11 UTC
Keyworded both on alpha.
Comment 8 Tobias Scherbaum (RETIRED) gentoo-dev 2008-06-05 18:53:43 UTC
re-added ~ppc
Comment 9 Peter Volkov (RETIRED) gentoo-dev 2008-06-06 07:56:21 UTC
Fixed in release snapshot.
Comment 10 Tobias Heinlein (RETIRED) gentoo-dev 2008-06-14 10:49:51 UTC
Ready for vote, I vote YES.
Comment 11 Pierre-Yves Rofes (RETIRED) gentoo-dev 2008-07-06 18:31:02 UTC
yes too and GLSA request filed.
Comment 12 Pierre-Yves Rofes (RETIRED) gentoo-dev 2008-08-11 18:47:35 UTC
GLSA 200808-11