On Tue, 13 May 2008 01:19:19 +0200, Marco d'Itri wrote:
> Security team: libuu-dev is a static-only library (see #216593).
> klibido, nget and slrn build-depend on libuu-dev, while
> libconvert-uulib-perl and kde (I don't know exactly which package,
> look in the kdesupport directory) contain an embedded copy.
>
> This code in uulib/uunconc.c is vulnerable to symlink attacks.
>
> if ((data->binfile = tempnam (NULL, "uu")) == NULL) {
> UUMessage (uunconc_id, __LINE__, UUMSG_ERROR,
> uustring (S_NO_TEMP_NAME));
> return UURET_NOMEM;
> }
>
> if ((dataout = fopen (data->binfile, mode)) == NULL) {I took a look at uulib/uunconc.c in libconvert-uulib-perl and I have the impression that it's not vulnerable because it uses mkstemp instead of tempnam if available. This was also already mentioned in http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=320541#30 Still I'd appreciate if someone who speaks better C than me could take a look to verify. Cheers, gregor -- .''`. http://info.comodo.priv.at/ | gpg key ID: 0x00F3CFE4 : :' : debian gnu/linux user, admin & developer - http://www.debian.org/ `. `' member of https://www.vibe.at/ | how to reply: http://got.to/quote/ `- NP: Tom Waits: Make It Rain
signature.asc
Description: Digital signature
