Report forwarded to debian-bugs-dist@lists.debian.org, md@linux.it, Debian Security Team <team@security.debian.org>, Debian Testing Security Team <secure-testing-team@lists.alioth.debian.org>, Chris Hanson <cph@debian.org>: Bug#480972; Package libuu-dev.
(full text, mbox, link).
Acknowledgement sent to Marco d'Itri <md@linux.it>:
New Bug report received and forwarded. Copy sent to md@linux.it, Debian Security Team <team@security.debian.org>, Debian Testing Security Team <secure-testing-team@lists.alioth.debian.org>, Chris Hanson <cph@debian.org>.
(full text, mbox, link).
Package: libuu-dev
Version: 0.5.20-3
Severity: critical
Tags: security upstream
Security team: libuu-dev is a static-only library (see #216593).
klibido, nget and slrn build-depend on libuu-dev, while
libconvert-uulib-perl and kde (I don't know exactly which package,
look in the kdesupport directory) contain an embedded copy.
Pan has an embedded copy too, but it's modified and does not contain
this code.
This code in uulib/uunconc.c is vulnerable to symlink attacks.
if ((data->binfile = tempnam (NULL, "uu")) == NULL) {
UUMessage (uunconc_id, __LINE__, UUMSG_ERROR,
uustring (S_NO_TEMP_NAME));
return UURET_NOMEM;
}
if ((dataout = fopen (data->binfile, mode)) == NULL) {
--
ciao,
Marco
Bug 480972 cloned as bug 481048.
Request was from Marco d'Itri <md@linux.it>
to control@bugs.debian.org.
(Tue, 13 May 2008 12:03:05 GMT) (full text, mbox, link).
Changed Bug title to `CVE-2008-2266 vulnerable to symlink attacks' from `vulnerable to symlink attacks'.
Request was from Nico Golde <nion@debian.org>
to control@bugs.debian.org.
(Sun, 18 May 2008 11:39:05 GMT) (full text, mbox, link).
Information forwarded to debian-bugs-dist@lists.debian.org, Chris Hanson <cph@debian.org>: Bug#480972; Package libuu-dev.
(full text, mbox, link).
Acknowledgement sent to md@Linux.IT (Marco d'Itri):
Extra info received and forwarded to list. Copy sent to Chris Hanson <cph@debian.org>.
(full text, mbox, link).
Information forwarded to debian-bugs-dist@lists.debian.org, Chris Hanson <cph@debian.org>: Bug#480972; Package libuu-dev.
(full text, mbox, link).
Acknowledgement sent to Nico Golde <nion@debian.org>:
Extra info received and forwarded to list. Copy sent to Chris Hanson <cph@debian.org>.
(full text, mbox, link).
tags 480972 + patch
thanks
Hi,
I wrote a patch to fix this. I have no idea how to test this
specific functionality so it would be nice if someone could
do this before uploading it.
Patch attached.
Kind regards
Nico
--
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
Tags added: patch
Request was from Nico Golde <nion@debian.org>
to control@bugs.debian.org.
(Sun, 18 May 2008 12:21:11 GMT) (full text, mbox, link).
Information forwarded to debian-bugs-dist@lists.debian.org, Chris Hanson <cph@debian.org>: Bug#480972; Package libuu-dev.
(full text, mbox, link).
Acknowledgement sent to gregor herrmann <gregoa@debian.org>:
Extra info received and forwarded to list. Copy sent to Chris Hanson <cph@debian.org>.
(full text, mbox, link).
On Tue, 13 May 2008 01:19:19 +0200, Marco d'Itri wrote:
> Security team: libuu-dev is a static-only library (see #216593).
> klibido, nget and slrn build-depend on libuu-dev, while
> libconvert-uulib-perl and kde (I don't know exactly which package,
> look in the kdesupport directory) contain an embedded copy.
>
> This code in uulib/uunconc.c is vulnerable to symlink attacks.
>
> if ((data->binfile = tempnam (NULL, "uu")) == NULL) {
> UUMessage (uunconc_id, __LINE__, UUMSG_ERROR,
> uustring (S_NO_TEMP_NAME));
> return UURET_NOMEM;
> }
>
> if ((dataout = fopen (data->binfile, mode)) == NULL) {
I took a look at uulib/uunconc.c in libconvert-uulib-perl and I have
the impression that it's not vulnerable because it uses mkstemp
instead of tempnam if available.
This was also already mentioned in
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=320541#30
Still I'd appreciate if someone who speaks better C than me could
take a look to verify.
Cheers,
gregor
--
.''`. http://info.comodo.priv.at/ | gpg key ID: 0x00F3CFE4
: :' : debian gnu/linux user, admin & developer - http://www.debian.org/
`. `' member of https://www.vibe.at/ | how to reply: http://got.to/quote/
`- NP: Tom Waits: Make It Rain
Information forwarded to debian-bugs-dist@lists.debian.org, Chris Hanson <cph@debian.org>: Bug#480972; Package libuu-dev.
(full text, mbox, link).
Acknowledgement sent to Nico Golde <nion@debian.org>:
Extra info received and forwarded to list. Copy sent to Chris Hanson <cph@debian.org>.
(full text, mbox, link).
Hi Gregor,
* gregor herrmann <gregoa@debian.org> [2008-05-18 15:40]:
> On Tue, 13 May 2008 01:19:19 +0200, Marco d'Itri wrote:
> > Security team: libuu-dev is a static-only library (see #216593).
> > klibido, nget and slrn build-depend on libuu-dev, while
> > libconvert-uulib-perl and kde (I don't know exactly which package,
> > look in the kdesupport directory) contain an embedded copy.
> >
> > This code in uulib/uunconc.c is vulnerable to symlink attacks.
> >
> > if ((data->binfile = tempnam (NULL, "uu")) == NULL) {
> > UUMessage (uunconc_id, __LINE__, UUMSG_ERROR,
> > uustring (S_NO_TEMP_NAME));
> > return UURET_NOMEM;
> > }
> >
> > if ((dataout = fopen (data->binfile, mode)) == NULL) {
>
> I took a look at uulib/uunconc.c in libconvert-uulib-perl and I have
> the impression that it's not vulnerable because it uses mkstemp
> instead of tempnam if available.
>
> This was also already mentioned in
> http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=320541#30
>
> Still I'd appreciate if someone who speaks better C than me could
> take a look to verify.
Confirmed, the version of uunconc.c in libconvert-uulib-perl
is not vulnerable. Added this to the security tracker.
Thanks for checking!
Attached is an updated patch which ports the changes made in
libconvert-uulib-perl·to uudeview. Please use this patch
instead of the other one as the first one misses the second
tempnam call.
Kind regards
Nico
P.S. closing 481048
--
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
Information forwarded to debian-bugs-dist@lists.debian.org, Chris Hanson <cph@debian.org>: Bug#480972; Package libuu-dev.
(full text, mbox, link).
Acknowledgement sent to Sune Vuorela <Sune@vuorela.dk>:
Extra info received and forwarded to list. Copy sent to Chris Hanson <cph@debian.org>.
(full text, mbox, link).
On Tuesday 13 May 2008, Marco d'Itri wrote:
> Security team: libuu-dev is a static-only library (see #216593).
> klibido, nget and slrn build-depend on libuu-dev, while
> libconvert-uulib-perl and kde (I don't know exactly which package,
> look in the kdesupport directory) contain an embedded copy.
I tried locating it in kde (kdesupport directory). I could find it thru google
code search in a ancient (probably kde 1) tarball on some openbsd mirrors.
But I couldn't find it in neither kde3 or kde4.
(I looked for the file mentioned ..)
/Sune
--
I'm not able to forward from a USB file, how does it work?
You must install the clock for logging on a system to a directory.
Tags added: pending
Request was from Marco d'Itri <md@linux.it>
to control@bugs.debian.org.
(Tue, 20 May 2008 23:51:01 GMT) (full text, mbox, link).
Information forwarded to debian-bugs-dist@lists.debian.org, Chris Hanson <cph@debian.org>: Bug#480972; Package libuu-dev.
(full text, mbox, link).
Acknowledgement sent to Nico Golde <nion@debian.org>:
Extra info received and forwarded to list. Copy sent to Chris Hanson <cph@debian.org>.
(full text, mbox, link).
Hi Sune,
* Sune Vuorela <Sune@vuorela.dk> [2008-05-18 21:35]:
> On Tuesday 13 May 2008, Marco d'Itri wrote:
> > Security team: libuu-dev is a static-only library (see #216593).
> > klibido, nget and slrn build-depend on libuu-dev, while
> > libconvert-uulib-perl and kde (I don't know exactly which package,
> > look in the kdesupport directory) contain an embedded copy.
>
> I tried locating it in kde (kdesupport directory). I could find it thru google
> code search in a ancient (probably kde 1) tarball on some openbsd mirrors.
>
> But I couldn't find it in neither kde3 or kde4.
>
> (I looked for the file mentioned ..)
Yes, same here. Looks like some deprecated package for kde
libs. I couldn't find that either in current source
packages. Marco, where did you get this information?
Kind regards
Nico
--
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
Information forwarded to debian-bugs-dist@lists.debian.org, Chris Hanson <cph@debian.org>: Bug#480972; Package libuu-dev.
(full text, mbox, link).
Acknowledgement sent to Sune Vuorela <Sune@vuorela.dk>:
Extra info received and forwarded to list. Copy sent to Chris Hanson <cph@debian.org>.
(full text, mbox, link).
On Thursday 22 May 2008, Nico Golde wrote:
> Yes, same here. Looks like some deprecated package for kde
> libs. I couldn't find that either in current source
> packages. Marco, where did you get this information?
Marco told me he got it from google code search.
/Sune
--
Man, do you know how could I open the line to the editor on the head of a
terminale?
You can never forward to the ethernet microkernel for installing the 3-bit
mousepad.
Source: uudeview
Source-Version: 0.5.20-3.1
We believe that the bug you reported is fixed in the latest version of
uudeview, which is due to be installed in the Debian FTP archive:
libuu-dev_0.5.20-3.1_i386.deb
to pool/main/u/uudeview/libuu-dev_0.5.20-3.1_i386.deb
libuu0_0.5.20-3.1_i386.deb
to pool/main/u/uudeview/libuu0_0.5.20-3.1_i386.deb
uudeview_0.5.20-3.1.diff.gz
to pool/main/u/uudeview/uudeview_0.5.20-3.1.diff.gz
uudeview_0.5.20-3.1.dsc
to pool/main/u/uudeview/uudeview_0.5.20-3.1.dsc
uudeview_0.5.20-3.1_i386.deb
to pool/main/u/uudeview/uudeview_0.5.20-3.1_i386.deb
xdeview_0.5.20-3.1_i386.deb
to pool/main/u/uudeview/xdeview_0.5.20-3.1_i386.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 480972@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Marco d'Itri <md@linux.it> (supplier of updated uudeview package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Wed, 21 May 2008 01:34:35 +0200
Source: uudeview
Binary: uudeview xdeview libuu0 libuu-dev
Architecture: source i386
Version: 0.5.20-3.1
Distribution: unstable
Urgency: high
Maintainer: Chris Hanson <cph@debian.org>
Changed-By: Marco d'Itri <md@linux.it>
Description:
libuu-dev - Library for decoding/encoding several popular file encodings
libuu0 - Library for decoding/encoding several popular file encodings
uudeview - Smart multi-file multi-part decoder (command line)
xdeview - Smart multi-file multi-part decoder (X11 GUI)
Closes: 216593480972
Changes:
uudeview (0.5.20-3.1) unstable; urgency=high
.
* Non-maintainer upload.
* Fixed a classical tempfile symlink attack vulnerability in libuu.
Thanks to Nico Golde for the patch. (Closes: #480972)
* Added a shared library package. (Closes: #216593)
* Added support for dpkg-buildpackage setting $CFLAGS.
* Removed no-op maintainer scripts.
* Replaced the deprecated tetex dependencies with texlive-latex-base.
Checksums-Sha1:
fa0cf5bf1ad09145f69736fafb3891ca48fbd3f1 1047 uudeview_0.5.20-3.1.dsc
016f87232e3b47252075730a833507517f612e17 57188 uudeview_0.5.20-3.1.diff.gz
4727d8a362a109ee89f2c4ee4362acea6caadfef 49050 uudeview_0.5.20-3.1_i386.deb
4bf840729df56bbe40da8ef4c0b669eeebbce1fc 68000 xdeview_0.5.20-3.1_i386.deb
f6ca1ed3696ddcade6552f826d578672bcd3d9af 72150 libuu0_0.5.20-3.1_i386.deb
27019009cd56b411196f0dd634fad078ea8d2186 64518 libuu-dev_0.5.20-3.1_i386.deb
Checksums-Sha256:
dc8686916966b4852219d3d34c8df5fa799ad3331bfb96df4a57f0722fd1e860 1047 uudeview_0.5.20-3.1.dsc
26078a2358d2826b3f8a47f3e9315f6f3efa7b5f7f78b1c9efe4754d2d725df6 57188 uudeview_0.5.20-3.1.diff.gz
d65f8dc7670d0861766c7215cd776e3a519937710e61e6b691b644b8f647da31 49050 uudeview_0.5.20-3.1_i386.deb
43b82282757a870d80e461ce604e8cfb96e185d7149db7d16493f1cacf5c732d 68000 xdeview_0.5.20-3.1_i386.deb
49b0e8ddc9fa20011be14e7e553a7601a96fa2edb6acdf5af72f844c487a3296 72150 libuu0_0.5.20-3.1_i386.deb
08cb676dc9ebe1925a3615556ad93f44681b1c1324f735baa450125ad4aa2ee7 64518 libuu-dev_0.5.20-3.1_i386.deb
Files:
6c26dce1c2f047f75a8ca03c7a1c045b 1047 utils optional uudeview_0.5.20-3.1.dsc
5078a3a430b91fb498ba50d8b58a8b29 57188 utils optional uudeview_0.5.20-3.1.diff.gz
f50771d820e2af5d2c2795563a7f97b8 49050 utils optional uudeview_0.5.20-3.1_i386.deb
728a0a56a56b7794c2a80e972b63e0c0 68000 utils optional xdeview_0.5.20-3.1_i386.deb
a2cd7008e6a84d8b0ef4fc6a88575517 72150 libs optional libuu0_0.5.20-3.1_i386.deb
2e4af9564dc8d96cb8a225e4db3601db 64518 libdevel optional libuu-dev_0.5.20-3.1_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iD8DBQFIM+9IFGfw2OHuP7ERAlmbAJ4tRmegsSSc1OJNruj4CkxoXpQ4wQCaAz4k
0jfGrUkO4jiGFH00X7jsfr4=
=vN9u
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Mon, 16 Mar 2009 09:55:44 GMT) (full text, mbox, link).
Debbugs is free software and licensed under the terms of the GNU General
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.