224193 CVE-2008-2266 2008-05-30 05:58 0000 net-nntp/nzbget <0.4.0 uulib Insecure Temporary File Creation (CVE-2008-2266) 2008-08-11 18:47:35 0000 1 1 1 Unclassified Gentoo Security Vulnerabilities unspecified All Linux RESOLVED FIXED http://secunia.com/advisories/30171/ B3 [glsa] P2 minor --- 1 rbu@gentoo.org security@gentoo.org net-news@gentoo.org swegener@gentoo.org rbu@gentoo.org 2008-05-30 05:58:13 0000 +++ This bug was initially created as a clone of Bug #222275 +++ net-nntp/nzbget uses a copy of uulib that is vulnerable to CVE-2008-2266, insecure temporary file creation. I'll attach a patch that fixes the problem, extracted from Perl's Convert-UUlib by Nico Golde. rbu@gentoo.org 2008-05-30 05:59:48 0000 Created an attachment (id=154789) uulib-CVE-2008-2266.patch rbu@gentoo.org 2008-05-30 06:15:47 0000 Version 0.3.0 and later of nzbget do not ship uudeview themselves anymore, but allow building against the static library built by uudeview. So a bump would fix this bug. However, this would result in losing support for some encoding formats, or an ugly hack to extract the uudeview sources. Or we could try and build a proper library out of uudeview. swegener@gentoo.org 2008-05-30 21:50:08 0000 I have an outstanding version bump to 0.4.0. That version has - removed support for uulib-decoder (it did not work well anyway); it its ChangeLog. So, when going to 0.4.0 we can avoid all the hassle of uulib. swegener@gentoo.org 2008-05-30 22:02:35 0000 OK, 0.4.0 is in the tree. I completely removed the alpha and ppc keywords due to the new dependency on app-arch/libpar2. rbu@gentoo.org 2008-05-31 08:04:33 0000 Arches, please test and mark stable: =net-nntp/nzbget-0.4.0 Target keywords : "release x86" Furthermore, we need ~ppc and ~alpha. fauli@gentoo.org 2008-05-31 13:55:02 0000 x86 stable klausman@gentoo.org 2008-06-04 18:43:11 0000 Keyworded both on alpha. dertobi123@gentoo.org 2008-06-05 18:53:43 0000 re-added ~ppc pva@gentoo.org 2008-06-06 07:56:21 0000 Fixed in release snapshot. keytoaster@gentoo.org 2008-06-14 10:49:51 0000 Ready for vote, I vote YES. py@gentoo.org 2008-07-06 18:31:02 0000 yes too and GLSA request filed. py@gentoo.org 2008-08-11 18:47:35 0000 GLSA 200808-11 154789 2008-05-30 05:59 0000 uulib-CVE-2008-2266.patch uulib-CVE-2008-2266.patch text/plain SW5kZXg6IG56YmdldC0wLjIuMy91dWxpYi91dW5jb25jLmMKPT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PQotLS0gbnpiZ2V0 LTAuMi4zLm9yaWcvdXVsaWIvdXVuY29uYy5jCisrKyBuemJnZXQtMC4yLjMvdXVsaWIvdXVuY29u Yy5jCkBAIC0xMzExLDYgKzEzMTEsMTEgQEAgVVVEZWNvZGUgKHV1bGlzdCAqZGF0YSkKICAgY2hh ciAqbW9kZSwgKm50bXA7CiAgIHV1ZmlsZSAqaXRlcjsKICAgc2l6ZV90IGJ5dGVzOworI2lmZGVm IEhBVkVfTUtTVEVNUAorICBpbnQgdG1wZmQ7CisgIGNvbnN0IGNoYXIgKnRtcHByZWZpeCA9ICJ1 dVhYWFhYWCI7CisgIGNoYXIgKnRtcGRpciA9IE5VTEw7CisjZW5kaWYgLyogSEFWRV9NS1NURU1Q ICovCiAKICAgaWYgKGRhdGEgPT0gTlVMTCB8fCBkYXRhLT50aGlzZmlsZSA9PSBOVUxMKQogICAg IHJldHVybiBVVVJFVF9JTExWQUw7CkBAIC0xMzI5LDEzICsxMzM0LDM1IEBAIFVVRGVjb2RlICh1 dWxpc3QgKmRhdGEpCiAgIGVsc2UKICAgICBtb2RlID0gIndiIjsJLyogb3RoZXJ3aXNlIGluIGJp bmFyeSAgICAgICAgICAqLwogCisjaWZkZWYgSEFWRV9NS1NURU1QCisgIGlmICgoZ2V0dWlkKCk9 PWdldGV1aWQoKSkgJiYgKGdldGdpZCgpPT1nZXRlZ2lkKCkpKSB7CisJICB0bXBkaXI9Z2V0ZW52 KCJUTVBESVIiKTsKKyAgfQorCisgIGlmICghdG1wZGlyKSB7CisJICB0bXBkaXIgPSAiL3RtcCI7 CisgIH0KKyAgZGF0YS0+YmluZmlsZSA9IG1hbGxvYyhzdHJsZW4odG1wZGlyKStzdHJsZW4odG1w cHJlZml4KSsyKTsKKworICBpZiAoIWRhdGEtPmJpbmZpbGUpIHsKKyNlbHNlCiAgIGlmICgoZGF0 YS0+YmluZmlsZSA9IHRlbXBuYW0gKE5VTEwsICJ1dSIpKSA9PSBOVUxMKSB7CisjZW5kaWYgLyog SEFWRV9NS1NURU1QICovCiAgICAgVVVNZXNzYWdlICh1dW5jb25jX2lkLCBfX0xJTkVfXywgVVVN U0dfRVJST1IsCiAJICAgICAgIHV1c3RyaW5nIChTX05PX1RFTVBfTkFNRSkpOwogICAgIHJldHVy biBVVVJFVF9OT01FTTsKICAgfQogCisjaWZkZWYgSEFWRV9NS1NURU1QCisgIHN0cmNweShkYXRh LT5iaW5maWxlLCB0bXBkaXIpOworICBzdHJjYXQoZGF0YS0+YmluZmlsZSwgIi8iKTsKKyAgc3Ry Y2F0KGRhdGEtPmJpbmZpbGUsIHRtcHByZWZpeCk7CisKKyAgaWYgKCh0bXBmZCA9IG1rc3RlbXAo ZGF0YS0+YmluZmlsZSkpID09IC0xIHx8IAorCSAgKGRhdGFvdXQgPSBmZG9wZW4odG1wZmQsIG1v ZGUpKSA9PSBOVUxMKSB7CisjZWxzZQogICBpZiAoKGRhdGFvdXQgPSBmb3BlbiAoZGF0YS0+Ymlu ZmlsZSwgbW9kZSkpID09IE5VTEwpIHsKKyNlbmRpZiAvKiBIQVZFX01LU1RFTVAgKi8KICAgICAv KgogICAgICAqIHdlIGNvdWxkbid0IGNyZWF0ZSBhIHRlbXBvcmFyeSBmaWxlLiBVc3VhbGx5IHRo aXMgbWVhbnMgdGhhdCBUTVAKICAgICAgKiBhbmQgVEVNUCBhcmVuJ3Qgc2V0CkBAIC0xMzQzLDEx ICsxMzcwLDE4IEBAIFVVRGVjb2RlICh1dWxpc3QgKmRhdGEpCiAgICAgVVVNZXNzYWdlICh1dW5j b25jX2lkLCBfX0xJTkVfXywgVVVNU0dfRVJST1IsCiAJICAgICAgIHV1c3RyaW5nIChTX1dSX0VS Ul9UQVJHRVQpLAogCSAgICAgICBkYXRhLT5iaW5maWxlLCBzdHJlcnJvciAodXVfZXJybm8gPSBl cnJubykpOworI2lmZGVmIEhBVkVfTUtTVEVNUAorCWlmICh0bXBmZCAhPSAtMSkgeworCQl1bmxp bmsoZGF0YS0+YmluZmlsZSk7CisJCWNsb3NlKHRtcGZkKTsKKyAgICB9CisjZW5kaWYgLyogSEFW RV9NS1NURU1QICovCiAgICAgX0ZQX2ZyZWUgKGRhdGEtPmJpbmZpbGUpOwogICAgIGRhdGEtPmJp bmZpbGUgPSBOVUxMOwogICAgIHV1X2Vycm5vID0gZXJybm87CiAgICAgcmV0dXJuIFVVUkVUX0lP RVJSOwogICB9CisKICAgLyoKICAgICogd2UgZG9uJ3QgaGF2ZSBiZWdpbiBsaW5lcyBpbiBCYXNl NjQgb3IgcGxhaW4gdGV4dCBmaWxlcy4KICAgICovCkBAIC0xNDk2LDcgKzE1MzAsMTMgQEAgVVVE ZWNvZGUgKHV1bGlzdCAqZGF0YSkKICAgICovCiAKICAgaWYgKGRhdGEtPnV1ZGV0ID09IEJIX0VO Q09ERUQgJiYgZGF0YS0+YmluZmlsZSkgeworI2lmZGVmIEhBVkVfTUtTVEVNUAorCSAgbnRtcCA9 IG1hbGxvYyhzdHJsZW4odG1wZGlyKStzdHJsZW4odG1wcHJlZml4KSsyKTsKKwkgIAorCSAgaWYg KG50bXAgPT0gTlVMTCkgeworI2Vsc2UKICAgICBpZiAoKG50bXAgPSB0ZW1wbmFtIChOVUxMLCAi dXUiKSkgPT0gTlVMTCkgeworI2VuZGlmIC8qIEhBVkVfTUtTVEVNUCAqLwogICAgICAgVVVNZXNz YWdlICh1dW5jb25jX2lkLCBfX0xJTkVfXywgVVVNU0dfRVJST1IsCiAJCSB1dXN0cmluZyAoU19O T19URU1QX05BTUUpKTsKICAgICAgIHByb2dyZXNzLmFjdGlvbiA9IDA7CkBAIC0xNTEwLDE1ICsx NTUwLDMxIEBAIFVVRGVjb2RlICh1dWxpc3QgKmRhdGEpCiAgICAgICBmcmVlIChudG1wKTsKICAg ICAgIHJldHVybiBVVVJFVF9JT0VSUjsKICAgICB9CisKKyNpZmRlZiBIQVZFX01LU1RFTVAKKyAg ICBzdHJjcHkobnRtcCwgdG1wZGlyKTsKKyAgICBzdHJjYXQobnRtcCwgIi8iKTsKKyAgICBzdHJj YXQobnRtcCwgdG1wcHJlZml4KTsgCisgICAgaWYgKCh0bXBmZCA9IG1rc3RlbXAobnRtcCkpID09 IC0xIHx8CisJCShkYXRhb3V0ID0gZmRvcGVuKHRtcGZkLCAid2IiKSkgPT0gTlVMTCkgeworI2Vs c2UKICAgICBpZiAoKGRhdGFvdXQgPSBmb3BlbiAobnRtcCwgIndiIikpID09IE5VTEwpIHsKKyNl bmRpZiAvKiBIQVZFX01LU1RFTVAgKi8KICAgICAgIFVVTWVzc2FnZSAodXVuY29uY19pZCwgX19M SU5FX18sIFVVTVNHX0VSUk9SLAogCQkgdXVzdHJpbmcgKFNfTk9UX09QRU5fVEFSR0VUKSwKIAkJ IG50bXAsIHN0cmVycm9yICh1dV9lcnJubyA9IGVycm5vKSk7CiAgICAgICBwcm9ncmVzcy5hY3Rp b24gPSAwOwogICAgICAgZmNsb3NlIChkYXRhaW4pOworI2lmZGVmIEhBVkVfTUtTVEVNUAorCSAg aWYgKHRtcGZkICE9IC0xKSB7CisJCSAgdW5saW5rKG50bXApOworCQkgIGNsb3NlKHRtcGZkKTsK KwkgIH0KKyNlbmRpZiAvKiBIQVZFX01LU1RFTVAgKi8KICAgICAgIGZyZWUgICAobnRtcCk7CiAg ICAgICByZXR1cm4gVVVSRVRfSU9FUlI7CiAgICAgfQorCiAgICAgLyoKICAgICAgKiByZWFkIGZv cmsgbGVuZ3Rocy4gcmVtZW1iZXIgdGhleSdyZSBpbiBNb3Rvcm9sYSBmb3JtYXQKICAgICAgKi8K