Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 224051 (CVE-2008-2363) - net-nntp/pan <0.132-r3 Buffer overflow parsing *.nzb files (CVE-2008-2363)
Summary: net-nntp/pan <0.132-r3 Buffer overflow parsing *.nzb files (CVE-2008-2363)
Alias: CVE-2008-2363
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Security
Whiteboard: B2 [glsa]
Depends on: 195543 227679
  Show dependency tree
Reported: 2008-05-29 07:24 UTC by Duncan
Modified: 2008-07-31 18:44 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---

patch from RedHat bugzilla (pan-0.132-parts-fix.patch,2.69 KB, patch)
2008-06-01 21:57 UTC, Arun Raghavan (RETIRED)
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Duncan 2008-05-29 07:24:08 UTC
This is a possible security issue which has already published to the public pan
developer list and filed in GNOME bugzilla, filed on Red Hat Bugzilla, and assigned a CVE number, so it's public.

The GNOME bug URL (and in the URL slot above):

CVE-2008-2363 but as of now all that gives me is "reserved".

From Pavel's post to the pan devel list:
<quote>I discovered a heap overflow in pan 0.132, part of the code reading .nzb 
files (either from tasks.nzb or elsewhere). Usually it results in 
assertion failure, but in certain cases might lead to segmentation 
fault, arbitrary code execution shouldn't be ruled out either.</quote>

There is a patch available.  See the Red Hat Bug entry, here:

The post to pan's dev list, courtesy gmane, here:
Comment 1 Duncan 2008-05-29 08:04:35 UTC
The patch as in RH bugzilla is now verified to apply without issue, and I'm running the resulting binary with no observed issues either, altho I've obviously not been running it but a few minutes so far.

Actually, I applied against a live SVN version ebuild I have in overlay, but SVN's only very slightly changed from 0.132 (and hasn't budged in months) and I'm using the patches Gentoo uses in the pan ebuild in the tree.  Additionally, the patch on RH's bugz was against 0.132.  Thus, it shouldn't have any issues against the tree's 0.132 either.
Comment 2 Pierre-Yves Rofes (RETIRED) gentoo-dev 2008-05-29 08:23:38 UTC
net-news/gnome, please bump as necessary.
Comment 3 Arun Raghavan (RETIRED) gentoo-dev 2008-06-01 21:57:46 UTC
Created attachment 155169 [details, diff]
patch from RedHat bugzilla

Attaching the patch here for our reference. I've tested it and it seems to work.
Comment 4 Sven Wegener gentoo-dev 2008-06-03 20:23:16 UTC
I have commited net-nntp/pan-0.132-r3 to the tree, including the patch.
Comment 5 Mart Raudsepp gentoo-dev 2008-06-17 14:28:54 UTC
I have requested stabilization of this revision for other reasons on Bug 227679
Comment 6 Robert Buchholz (RETIRED) gentoo-dev 2008-06-17 15:04:54 UTC
Sorry, we just missed the comment about this ebuild being committed. Thanks for the stable request.
Comment 7 Robert Buchholz (RETIRED) gentoo-dev 2008-06-19 23:53:19 UTC
0.14.2 is not affected since it does not support NZB loading. So if sparc decides not to upgrade to the 0.132 branch, that is fine for security.

So only hppa and ppc are missing. Adding release to this bug to merge in new version.
Comment 8 Robert Buchholz (RETIRED) gentoo-dev 2008-06-24 01:16:48 UTC
ppc, please test and mark stable
Comment 9 Tobias Scherbaum (RETIRED) gentoo-dev 2008-06-24 16:22:51 UTC
ppc stable
Comment 10 Pierre-Yves Rofes (RETIRED) gentoo-dev 2008-07-31 18:44:07 UTC
GLSA 200807-15