Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 352317 - <dev-perl/Convert-UUlib-1.34: DoS
Summary: <dev-perl/Convert-UUlib-1.34: DoS
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Security
URL: http://secunia.com/advisories/42998/
Whiteboard: B3 [noglsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2011-01-21 07:26 UTC by Paweł Hajdan, Jr. (RETIRED)
Modified: 2011-02-23 22:36 UTC (History)
0 users

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Paweł Hajdan, Jr. (RETIRED) gentoo-dev 2011-01-21 07:26:12 UTC 
A weakness has been reported in the Convert::UUlib module for Perl, which can potentially be exploited by malicious people to potentially cause a DoS (Denial of Service) .

The weakness is caused due to an off-by-one error in the "UURepairData()" function (uulib/uunconc.c) when handling a incomplete uuencoded string. This can be exploited to write a single NULL byte outside the bounds of a heap-based buffer in an application using the vulnerable library.

The weakness is reported in versions prior to 1.34.
Comment 1 Paweł Hajdan, Jr. (RETIRED) gentoo-dev 2011-01-21 07:27:33 UTC 
It seems like we should stabilize dev-perl/Convert-UUlib-1.340. Is that correct? If yes, please CC arches and add STABLEREQ keyword.
Comment 2 Torsten Veller (RETIRED) gentoo-dev 2011-01-21 07:33:02 UTC 
Correct.
Comment 3 Paweł Hajdan, Jr. (RETIRED) gentoo-dev 2011-01-21 07:54:07 UTC 
Please stabilize =dev-perl/Convert-UUlib-1.340
Comment 4 Kacper Kowalik (Xarthisius) (RETIRED) gentoo-dev 2011-01-21 08:35:03 UTC 
ppc/ppc64 stable
Comment 5 Markos Chandras (RETIRED) gentoo-dev 2011-01-21 09:53:43 UTC 
amd64 done
Comment 6 Christian Faulhammer (RETIRED) gentoo-dev 2011-01-21 13:47:13 UTC 
x86 stable
Comment 7 Raúl Porcel (RETIRED) gentoo-dev 2011-01-22 11:22:01 UTC 
alpha/arm/ia64/m68k/s390/sh/sparc stable
Comment 8 Jeroen Roovers (RETIRED) gentoo-dev 2011-01-24 03:25:07 UTC 
Stable for HPPA.
Comment 9 Tim Sammut (RETIRED) gentoo-dev 2011-01-24 14:51:23 UTC 
Thanks, folks. GLSA Vote: no.
Comment 10 Stefan Behte (RETIRED) gentoo-dev Security 2011-02-23 22:36:20 UTC 
GLSA Vote: no, closing noglsa.