798120 – (CVE-2021-29488) <net-nntp/sabnzbd-3.2.1: directory traversal via malicious PAR2 files (CVE-2021-29488)

Bug 798120 (CVE-2021-29488) - <net-nntp/sabnzbd-3.2.1: directory traversal via malicious PAR2 files (CVE-2021-29488)

Summary: <net-nntp/sabnzbd-3.2.1: directory traversal via malicious PAR2 files (CVE-20...

Status:	RESOLVED FIXED

Alias:	CVE-2021-29488

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal minor (vote)
Assignee:	Gentoo Security

URL:	https://github.com/sabnzbd/sabnzbd/se...
Whiteboard:	B3 [noglsa]
Keywords:

Depends on:	788862
Blocks:
	Show dependency tree

Reported:	2021-06-24 00:30 UTC by John Helmert III
Modified:	2022-11-09 02:42 UTC (History)
CC List:	2 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description John Helmert III archtester

2021-06-24 00:30:45 UTC

CVE-2021-29488:

SABnzbd is an open source binary newsreader. A vulnerability was discovered in SABnzbd that could trick the `filesystem.renamer()` function into writing downloaded files outside the configured Download Folder via malicious PAR2 files. A patch was released as part of SABnzbd 3.2.1RC1. As a workaround, limit downloads to NZBs without PAR2 files, deny write permissions to the SABnzbd process outside areas it must access to perform its job, or update to a fixed version.

Fix is in 3.2.1, please bump.

Comment 1 NATTkA bot gentoo-dev

2021-07-29 17:21:25 UTC Comment hidden (obsolete)

Package list is empty or all packages have requested keywords.

Comment 2 NATTkA bot gentoo-dev

2021-07-29 17:29:33 UTC Comment hidden (obsolete)

Package list is empty or all packages have requested keywords.

Comment 3 NATTkA bot gentoo-dev

2021-07-29 17:37:32 UTC Comment hidden (obsolete)

Package list is empty or all packages have requested keywords.

Comment 4 NATTkA bot gentoo-dev

2021-07-29 17:45:36 UTC Comment hidden (obsolete)

Package list is empty or all packages have requested keywords.

Comment 5 NATTkA bot gentoo-dev

2021-07-29 17:53:41 UTC Comment hidden (obsolete)

Package list is empty or all packages have requested keywords.

Comment 6 NATTkA bot gentoo-dev

2021-07-29 18:01:35 UTC Comment hidden (obsolete)

Package list is empty or all packages have requested keywords.

Comment 7 NATTkA bot gentoo-dev

2021-07-29 18:09:56 UTC

Package list is empty or all packages have requested keywords.

Comment 8 Sam James archtester

2022-07-29 04:39:45 UTC

commit 58c900dfcec55396d2818b36d7724db65f669068
Author: Thomas Deutschmann <whissi@gentoo.org>
Date:   Thu Apr 1 00:18:49 2021 +0200

    net-nntp/sabnzbd: bump to v3.2.1

    Package-Manager: Portage-3.0.18, Repoman-3.0.3
    Signed-off-by: Thomas Deutschmann <whissi@gentoo.org>

Comment 9 Joe Kappus 2022-11-08 22:51:14 UTC

Vulnerable packages are no longer in portage, can this be marked resolved?

Comment 10 John Helmert III archtester

2022-11-09 02:42:54 UTC

Sure. No GLSA, all done.