724504 – dev-libs/uulib: Likely vulnerable to same as dev-perl/Convert-UUlib

Bug 724504 - dev-libs/uulib: Likely vulnerable to same as dev-perl/Convert-UUlib

Summary: dev-libs/uulib: Likely vulnerable to same as dev-perl/Convert-UUlib

Status:	IN_PROGRESS

Alias:	None

Product:	Gentoo Security
Classification:	Unclassified
Component:	Auditing (show other bugs)
Hardware:	All Linux

Importance:	Normal normal
Assignee:	Gentoo Security

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2020-05-21 20:52 UTC by Sam James
Modified:	2022-11-24 16:53 UTC (History)
CC List:	3 users (show)

See Also:	724494 724510 724618
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Sam James archtester

2020-05-21 20:52:42 UTC

See e.g. bug 724494.

dev-libs/uulib has only 2 rdeps, it wouldn't be too much work to test with dev-perl/Convert-UUlib's fork, or see if we can backport the security fixes in the Perl version.

Note that the Perl module includes a fork, not a bundling (thanks kent\n).

Comment 1 Hanno Böck gentoo-dev

2022-11-24 16:53:35 UTC

The 2009 issue is this one:
https://bugzilla.redhat.com/show_bug.cgi?id=1711098

It contains a hexdump of the proof of concept and does not crash uudeview, so I can only assume it's unaffected. I'll try to track down the PoC for the 2015 issue as well.