|Summary:||net-nntp/pan <0.132-r3 Buffer overflow parsing *.nzb files (CVE-2008-2363)|
|Product:||Gentoo Security||Reporter:||Duncan <1i5t5.duncan>|
|Component:||Vulnerabilities||Assignee:||Gentoo Security <security>|
|Severity:||normal||CC:||gnome, net-news, releng|
|Package list:||Runtime testing required:||---|
|Bug Depends on:||195543, 227679|
Description Duncan 2008-05-29 07:24:08 UTC
This is a possible security issue which has already published to the public pan developer list and filed in GNOME bugzilla, filed on Red Hat Bugzilla, and assigned a CVE number, so it's public. The GNOME bug URL (and in the URL slot above): http://bugzilla.gnome.org/show_bug.cgi?id=535413 CVE-2008-2363 but as of now all that gives me is "reserved". http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2363 From Pavel's post to the pan devel list: <quote>I discovered a heap overflow in pan 0.132, part of the code reading .nzb files (either from tasks.nzb or elsewhere). Usually it results in assertion failure, but in certain cases might lead to segmentation fault, arbitrary code execution shouldn't be ruled out either.</quote> There is a patch available. See the Red Hat Bug entry, here: https://bugzilla.redhat.com/show_bug.cgi?id=446902 The post to pan's dev list, courtesy gmane, here: http://permalink.gmane.org/gmane.comp.gnome.apps.pan.devel/1077
Comment 1 Duncan 2008-05-29 08:04:35 UTC
The patch as in RH bugzilla is now verified to apply without issue, and I'm running the resulting binary with no observed issues either, altho I've obviously not been running it but a few minutes so far. Actually, I applied against a live SVN version ebuild I have in overlay, but SVN's only very slightly changed from 0.132 (and hasn't budged in months) and I'm using the patches Gentoo uses in the pan ebuild in the tree. Additionally, the patch on RH's bugz was against 0.132. Thus, it shouldn't have any issues against the tree's 0.132 either.
Comment 2 Pierre-Yves Rofes (RETIRED) 2008-05-29 08:23:38 UTC
net-news/gnome, please bump as necessary.
Comment 3 Arun Raghavan (RETIRED) 2008-06-01 21:57:46 UTC
Created attachment 155169 [details, diff] patch from RedHat bugzilla Attaching the patch here for our reference. I've tested it and it seems to work.
Comment 4 Sven Wegener 2008-06-03 20:23:16 UTC
I have commited net-nntp/pan-0.132-r3 to the tree, including the patch.
Comment 5 Mart Raudsepp 2008-06-17 14:28:54 UTC
I have requested stabilization of this revision for other reasons on Bug 227679
Comment 6 Robert Buchholz (RETIRED) 2008-06-17 15:04:54 UTC
Sorry, we just missed the comment about this ebuild being committed. Thanks for the stable request.
Comment 7 Robert Buchholz (RETIRED) 2008-06-19 23:53:19 UTC
0.14.2 is not affected since it does not support NZB loading. So if sparc decides not to upgrade to the 0.132 branch, that is fine for security. So only hppa and ppc are missing. Adding release to this bug to merge in new version.
Comment 8 Robert Buchholz (RETIRED) 2008-06-24 01:16:48 UTC
ppc, please test and mark stable =net-nntp/pan-0.132-r3
Comment 9 Tobias Scherbaum (RETIRED) 2008-06-24 16:22:51 UTC
Comment 10 Pierre-Yves Rofes (RETIRED) 2008-07-31 18:44:07 UTC