This is a possible security issue which has already published to the public pan
developer list and filed in GNOME bugzilla, filed on Red Hat Bugzilla, and assigned a CVE number, so it's public.
The GNOME bug URL (and in the URL slot above):
CVE-2008-2363 but as of now all that gives me is "reserved".
From Pavel's post to the pan devel list:
<quote>I discovered a heap overflow in pan 0.132, part of the code reading .nzb
files (either from tasks.nzb or elsewhere). Usually it results in
assertion failure, but in certain cases might lead to segmentation
fault, arbitrary code execution shouldn't be ruled out either.</quote>
There is a patch available. See the Red Hat Bug entry, here:
The post to pan's dev list, courtesy gmane, here:
The patch as in RH bugzilla is now verified to apply without issue, and I'm running the resulting binary with no observed issues either, altho I've obviously not been running it but a few minutes so far.
Actually, I applied against a live SVN version ebuild I have in overlay, but SVN's only very slightly changed from 0.132 (and hasn't budged in months) and I'm using the patches Gentoo uses in the pan ebuild in the tree. Additionally, the patch on RH's bugz was against 0.132. Thus, it shouldn't have any issues against the tree's 0.132 either.
net-news/gnome, please bump as necessary.
Created attachment 155169 [details, diff]
patch from RedHat bugzilla
Attaching the patch here for our reference. I've tested it and it seems to work.
I have commited net-nntp/pan-0.132-r3 to the tree, including the patch.
I have requested stabilization of this revision for other reasons on Bug 227679
Sorry, we just missed the comment about this ebuild being committed. Thanks for the stable request.
0.14.2 is not affected since it does not support NZB loading. So if sparc decides not to upgrade to the 0.132 branch, that is fine for security.
So only hppa and ppc are missing. Adding release to this bug to merge in new version.
ppc, please test and mark stable