On Tue, 13 May 2008 01:19:19 +0200, Marco d'Itri wrote: > Security team: libuu-dev is a static-only library (see #216593). > klibido, nget and slrn build-depend on libuu-dev, while > libconvert-uulib-perl and kde (I don't know exactly which package, > look in the kdesupport directory) contain an embedded copy. > > This code in uulib/uunconc.c is vulnerable to symlink attacks. > > if ((data->binfile = tempnam (NULL, "uu")) == NULL) { > UUMessage (uunconc_id, __LINE__, UUMSG_ERROR, > uustring (S_NO_TEMP_NAME)); > return UURET_NOMEM; > } > > if ((dataout = fopen (data->binfile, mode)) == NULL) {
I took a look at uulib/uunconc.c in libconvert-uulib-perl and I have the impression that it's not vulnerable because it uses mkstemp instead of tempnam if available. This was also already mentioned in http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=320541#30 Still I'd appreciate if someone who speaks better C than me could take a look to verify. Cheers, gregor -- .''`. http://info.comodo.priv.at/ | gpg key ID: 0x00F3CFE4 : :' : debian gnu/linux user, admin & developer - http://www.debian.org/ `. `' member of https://www.vibe.at/ | how to reply: http://got.to/quote/ `- NP: Tom Waits: Make It Rain
signature.asc
Description: Digital signature