Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 222275 - app-text/uudeview <0.5.20-r1 Insecure Temporary File Creation (CVE-2008-2266)
Summary: app-text/uudeview <0.5.20-r1 Insecure Temporary File Creation (CVE-2008-2266)
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High minor (vote)
Assignee: Gentoo Security
URL: http://secunia.com/advisories/30171/
Whiteboard: B3 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2008-05-15 15:16 UTC by Robert Buchholz (RETIRED)
Modified: 2008-08-11 18:43 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Robert Buchholz (RETIRED) gentoo-dev 2008-05-15 15:16:10 UTC
Secunia:
Marco d'Itri has reported a vulnerability in UUDeview, which can be
exploited by malicious, local users to perform certain actions with
escalated privileges.

The vulnerability is caused due to the application creating temporary
files insecurely using the "tempnam()" function. This can be exploited
to overwrite arbitrary files on the local system with the privileges
of the user running uudeview.

The vulnerability is reported in version 0.5.20. Other versions may
also be affected.

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=480972

Nico Golde:
Looks like CAN-2004-2265 was reintroduced, have a look at:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=320541
Comment 1 Jeremy Olexa (darkside) (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2008-05-29 15:14:27 UTC
rbu,
Is this something that needs to be masked? I can volunteer to mask it if needed.
Comment 2 Robert Buchholz (RETIRED) gentoo-dev 2008-05-30 05:23:49 UTC
Nico ported a patch from Perl's Convert-UUlib to uudeview, it's available here:
http://bugs.debian.org/cgi-bin/bugreport.cgi?msg=31;filename=uudeview.patch;att=1;bug=480972

So instead of masking, we can bump the package. Or are there other reasons we'd want to retire it from the tree?
Comment 3 Pierre-Yves Rofes (RETIRED) gentoo-dev 2008-07-06 21:12:10 UTC
any news here?
Comment 4 Robert Buchholz (RETIRED) gentoo-dev 2008-07-28 00:36:10 UTC
*uudeview-0.5.20-r1 (28 Jul 2008)

  28 Jul 2008; Robert Buchholz <rbu@gentoo.org>
  -files/uudeview-0.5.18-optimize_size.patch,
  +files/uudeview-0.5.20-CVE-2004-2265.patch,
  +files/uudeview-0.5.20-CVE-2008-2266.patch,
  +files/uudeview-0.5.20-bugfixes.patch, +files/uudeview-0.5.20-man.patch,
  +files/uudeview-0.5.20-rename.patch, +uudeview-0.5.20-r1.ebuild:
  Non-maintainer bump
  Pull in source patches from Debian
  * Fix temporary file issue (CVE-2004-2265, CVE-2008-2266, bug #222275)
  * Update uudeview man page, include uuwish man page
  * Several bug fixes

  Other changes:
  * Remove dead 'debug' use flag
  * Remove old patch
Comment 5 Robert Buchholz (RETIRED) gentoo-dev 2008-07-30 01:05:43 UTC
Arches, please test and mark stable:
=app-text/uudeview-0.5.20-r1
Target keywords : "amd64 ppc sparc x86"
Comment 6 Raúl Porcel (RETIRED) gentoo-dev 2008-07-30 21:00:45 UTC
sparc/x86 stable
Comment 7 Tobias Heinlein (RETIRED) gentoo-dev 2008-08-03 17:34:05 UTC
amd64 stable
Comment 8 Tobias Scherbaum (RETIRED) gentoo-dev 2008-08-03 17:57:51 UTC
ppc stable and ready for glsa voting
Comment 9 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2008-08-05 15:22:20 UTC
We issued GLSAs for such vulnerabilities, so i vote Yes.
Comment 10 Robert Buchholz (RETIRED) gentoo-dev 2008-08-06 23:04:38 UTC
Yes, combined with #224193.
Comment 11 Pierre-Yves Rofes (RETIRED) gentoo-dev 2008-08-11 18:43:54 UTC
GLSA 200808-11