Bug List: (This bug is not in your last search results)   Show last search results      Search page      Enter new bug
Bug#: 224193
Alias:
Product:
Component:
Status: RESOLVED
Resolution: FIXED
Assigned To: Gentoo Security <security@gentoo.org>
Hardware:
OS:
Version:
Priority:
Severity:
Reporter: Robert Buchholz <rbu@gentoo.org>
Add CC:
CC:
Remove selected CCs
URL:
Summary:
Status Whiteboard:
Keywords:
Flags: Requestee:
 
 
  ()

Filename Description Type Creator Created Size Actions
uulib-CVE-2008-2266.patch uulib-CVE-2008-2266.patch patch Robert Buchholz 2008-05-30 05:59 0000 3.12 KB Details | Diff
Create a New Attachment (proposed patch, testcase, etc.) View All

Bug 224193 depends on: Show dependency tree
Bug 224193 blocks:

Additional Comments: (this is where you put emerge --info)


Not eligible to see or edit group visibility for this bug.






View Bug Activity   |   Format For Printing   |   XML   |   Clone This Bug

Description:   Opened: 2008-05-30 05:58 0000 
+++ This bug was initially created as a clone of Bug #222275 +++

net-nntp/nzbget uses a copy of uulib that is vulnerable to CVE-2008-2266,
insecure temporary file creation. I'll attach a patch that fixes the problem,
extracted from Perl's Convert-UUlib by Nico Golde.

------- Comment #1 From Robert Buchholz 2008-05-30 05:59:48 0000 ------- 
Created an attachment (id=154789) [details]
uulib-CVE-2008-2266.patch

------- Comment #2 From Robert Buchholz 2008-05-30 06:15:47 0000 ------- 
Version 0.3.0 and later of nzbget do not ship uudeview themselves anymore, but
allow building against the static library built by uudeview. So a bump would
fix this bug. However, this would result in losing support for some encoding
formats, or an ugly hack to extract the uudeview sources.
Or we could try and build a proper library out of uudeview.

------- Comment #3 From Sven Wegener 2008-05-30 21:50:08 0000 ------- 
I have an outstanding version bump to 0.4.0. That version has

  - removed support for uulib-decoder (it did not work well anyway);

it its ChangeLog. So, when going to 0.4.0 we can avoid all the hassle of uulib.

------- Comment #4 From Sven Wegener 2008-05-30 22:02:35 0000 ------- 
OK, 0.4.0 is in the tree. I completely removed the alpha and ppc keywords due
to the new dependency on app-arch/libpar2.

------- Comment #5 From Robert Buchholz 2008-05-31 08:04:33 0000 ------- 
Arches, please test and mark stable:
=net-nntp/nzbget-0.4.0
Target keywords : "release x86"

Furthermore, we need ~ppc and ~alpha.

------- Comment #6 From Christian Faulhammer 2008-05-31 13:55:02 0000 ------- 
x86 stable

------- Comment #7 From Tobias Klausmann 2008-06-04 18:43:11 0000 ------- 
Keyworded both on alpha.

------- Comment #8 From Tobias Scherbaum 2008-06-05 18:53:43 0000 ------- 
re-added ~ppc

------- Comment #9 From Peter Volkov 2008-06-06 07:56:21 0000 ------- 
Fixed in release snapshot.

------- Comment #10 From Tobias Heinlein 2008-06-14 10:49:51 0000 ------- 
Ready for vote, I vote YES.

------- Comment #11 From Pierre-Yves Rofes 2008-07-06 18:31:02 0000 ------- 
yes too and GLSA request filed.

------- Comment #12 From Pierre-Yves Rofes 2008-08-11 18:47:35 0000 ------- 
GLSA 200808-11
Bug List: (This bug is not in your last search results)   Show last search results      Search page      Enter new bug