| Summary: | net-nntp/nzbget <0.4.0 uulib Insecure Temporary File Creation (CVE-2008-2266) | ||||||
|---|---|---|---|---|---|---|---|
| Product: | Gentoo Security | Reporter: | Robert Buchholz (RETIRED) <rbu> | ||||
| Component: | Vulnerabilities | Assignee: | Gentoo Security <security> | ||||
| Status: | RESOLVED FIXED | ||||||
| Severity: | minor | CC: | net-news, swegener | ||||
| Priority: | High | ||||||
| Version: | unspecified | ||||||
| Hardware: | All | ||||||
| OS: | Linux | ||||||
| URL: | http://secunia.com/advisories/30171/ | ||||||
| Whiteboard: | B3 [glsa] | ||||||
| Package list: | Runtime testing required: | --- | |||||
| Attachments: |
|
||||||
|
Description
Robert Buchholz (RETIRED)
2008-05-30 05:58:13 UTC
Created attachment 154789 [details, diff]
uulib-CVE-2008-2266.patch
Version 0.3.0 and later of nzbget do not ship uudeview themselves anymore, but allow building against the static library built by uudeview. So a bump would fix this bug. However, this would result in losing support for some encoding formats, or an ugly hack to extract the uudeview sources. Or we could try and build a proper library out of uudeview. I have an outstanding version bump to 0.4.0. That version has - removed support for uulib-decoder (it did not work well anyway); it its ChangeLog. So, when going to 0.4.0 we can avoid all the hassle of uulib. OK, 0.4.0 is in the tree. I completely removed the alpha and ppc keywords due to the new dependency on app-arch/libpar2. Arches, please test and mark stable: =net-nntp/nzbget-0.4.0 Target keywords : "release x86" Furthermore, we need ~ppc and ~alpha. x86 stable Keyworded both on alpha. re-added ~ppc Fixed in release snapshot. Ready for vote, I vote YES. yes too and GLSA request filed. GLSA 200808-11 |