Bug 224193 - net-nntp/nzbget <0.4.0 uulib Insecure Temporary File Creation (CVE-2008-2266)
Bug#: 224193 (CVE-2008-2266) Product:  Gentoo Security Version: unspecified Platform: All
OS/Version: Linux Status: RESOLVED Severity: minor Priority: P2
Resolution: FIXED Assigned To: security@gentoo.org Reported By: rbu@gentoo.org
Component: Vulnerabilities
URL:  http://secunia.com/advisories/30171/
Summary: net-nntp/nzbget <0.4.0 uulib Insecure Temporary File Creation (CVE-2008-2266)
Keywords:  
Status Whiteboard: B3 [glsa]
Opened: 2008-05-30 05:58 0000
Description:   Opened: 2008-05-30 05:58 0000 
+++ This bug was initially created as a clone of Bug #222275 +++

net-nntp/nzbget uses a copy of uulib that is vulnerable to CVE-2008-2266,
insecure temporary file creation. I'll attach a patch that fixes the problem,
extracted from Perl's Convert-UUlib by Nico Golde.

------- Comment #1 From Robert Buchholz 2008-05-30 05:59:48 0000 ------- 
Created an attachment (id=154789) [details]
uulib-CVE-2008-2266.patch

------- Comment #2 From Robert Buchholz 2008-05-30 06:15:47 0000 ------- 
Version 0.3.0 and later of nzbget do not ship uudeview themselves anymore, but
allow building against the static library built by uudeview. So a bump would
fix this bug. However, this would result in losing support for some encoding
formats, or an ugly hack to extract the uudeview sources.
Or we could try and build a proper library out of uudeview.

------- Comment #3 From Sven Wegener 2008-05-30 21:50:08 0000 ------- 
I have an outstanding version bump to 0.4.0. That version has

  - removed support for uulib-decoder (it did not work well anyway);

it its ChangeLog. So, when going to 0.4.0 we can avoid all the hassle of uulib.

------- Comment #4 From Sven Wegener 2008-05-30 22:02:35 0000 ------- 
OK, 0.4.0 is in the tree. I completely removed the alpha and ppc keywords due
to the new dependency on app-arch/libpar2.

------- Comment #5 From Robert Buchholz 2008-05-31 08:04:33 0000 ------- 
Arches, please test and mark stable:
=net-nntp/nzbget-0.4.0
Target keywords : "release x86"

Furthermore, we need ~ppc and ~alpha.

------- Comment #6 From Christian Faulhammer 2008-05-31 13:55:02 0000 ------- 
x86 stable

------- Comment #7 From Tobias Klausmann 2008-06-04 18:43:11 0000 ------- 
Keyworded both on alpha.

------- Comment #8 From Tobias Scherbaum 2008-06-05 18:53:43 0000 ------- 
re-added ~ppc

------- Comment #9 From Peter Volkov 2008-06-06 07:56:21 0000 ------- 
Fixed in release snapshot.

------- Comment #10 From Tobias Heinlein 2008-06-14 10:49:51 0000 ------- 
Ready for vote, I vote YES.

------- Comment #11 From Pierre-Yves Rofes 2008-07-06 18:31:02 0000 ------- 
yes too and GLSA request filed.

------- Comment #12 From Pierre-Yves Rofes 2008-08-11 18:47:35 0000 ------- 
GLSA 200808-11