Marco d'Itri has reported a vulnerability in UUDeview, which can be
exploited by malicious, local users to perform certain actions with
The vulnerability is caused due to the application creating temporary
files insecurely using the "tempnam()" function. This can be exploited
to overwrite arbitrary files on the local system with the privileges
of the user running uudeview.
The vulnerability is reported in version 0.5.20. Other versions may
also be affected.
Looks like CAN-2004-2265 was reintroduced, have a look at:
Is this something that needs to be masked? I can volunteer to mask it if needed.
Nico ported a patch from Perl's Convert-UUlib to uudeview, it's available here:
So instead of masking, we can bump the package. Or are there other reasons we'd want to retire it from the tree?
any news here?
*uudeview-0.5.20-r1 (28 Jul 2008)
28 Jul 2008; Robert Buchholz <email@example.com>
Pull in source patches from Debian
* Fix temporary file issue (CVE-2004-2265, CVE-2008-2266, bug #222275)
* Update uudeview man page, include uuwish man page
* Several bug fixes
* Remove dead 'debug' use flag
* Remove old patch
Arches, please test and mark stable:
Target keywords : "amd64 ppc sparc x86"
ppc stable and ready for glsa voting
We issued GLSAs for such vulnerabilities, so i vote Yes.
Yes, combined with #224193.