*** This bug is a security vulnerability *** Public security bug reported:
This is a report of a serious security problem I found with pan 0.132, it affects all releases Ubuntu including 9.04 (and also with Pan 0.133 as shipped with Fedora-10). The problem is that Pan obeys the original yEnc standard which preserves file permissions, thus allowing malware to be saved as executable (typically the somefilename.avi.exe sort of Trojan). So far this appears to be a Windows-only threat, but of course that could change. The discussion of this resulted in the proposed patch to disable the preservation of file permission mask, as covered here: http://www.mail-archive.com/pan-us...@nongnu.org/msg05572.html Hopefully the Ubuntu team will implement this very soon, but following here is how I did it: Of course, you should *think* carefully about following *any* system wide commands that involve 'sudo', and ensure you understand any commands before trying them! First I installed Pan from the Ubuntu repository as a typical user would. I set it up with my news server (news.virginmedia.com with article time-out set to 2 weeks in my case) and tested that it works. Then I installed the packages needed to build Pan, first the libraries from the repository: sudo apt-get install libpcre++-dev libgmime-2.0-2-dev libgtkspell-dev Then I downloaded the pan 0.133 source (you could replace the wget step by using a web browser to check it is the correct pan site, of course): cd ~/Documents wget http://pan.rebelbase.com/download/releases/0.133/source/pan-0.133.tar.gz tar -xf pan-0.133.tar.gz cd pan-0.133/ Then configure and build the basic version of pan 0.133 with this: ./configure make After a couple of minutes, hopefully it will have built correctly. Then I edited the decoder source file to apply the fix: gedit pan/tasks/decoder.cc Go to line 137 (e.g. Ctrl+I and enter 137) and add the IGNMODE step so it looks like this code section: UUSetMsgCallback (this, uu_log); UUSetOption (UUOPT_DESPERATE, 1, NULL); // keep incompletes; they're useful to par2 UUSetOption (UUOPT_IGNMODE, 1, NULL); // don't save file as executable UUSetBusyCallback (this, uu_busy_poll, 500); // .5 secs busy poll? Save decoder.cc (e.g. Ctrl+S) and then build the new version with: make This should be much quicker. Finally, it can be installed with this: sudo cp /usr/bin/pan /usr/bin/pan-0.132 sudo cp pan/gui/pan /usr/bin/pan If you start pan the menu Help -> About should now report Pan 0.133 ** Affects: pan (Ubuntu) Importance: Undecided Status: New ** Description changed: This is a report of a serious security problem I found with pan 0.132, it affects all releases Ubuntu including 9.04 (and also with Pan 0.133 as shipped with Fedora-10). The problem is that Pan obeys the original yEnc standard which preserves file permissions, thus allowing malware to be saved as executable (typically the somefilename.avi.exe sort of Trojan). So far this appears to be a Windows-only threat, but of course that could change. The discussion of this resulted in the proposed patch to disable the preservation of file permission mask, as covered here: http://www.mail-archive.com/pan-us...@nongnu.org/msg05572.html Hopefully the Ubuntu team will implement this very soon, but following here is how I did it: Of course, you should *think* carefully about following *any* system wide commands that involve 'sudo', and ensure you understand any commands before trying them! First I installed Pan from the Ubuntu repository as a typical user would. I set it up with my news server (news.virginmedia.com with article time-out set to 2 weeks in my case) and tested that it works. Then I installed the packages needed to build Pan, first the libraries from the repository: sudo apt-get install libpcre++-dev libgmime-2.0-2-dev libgtkspell-dev Then I downloaded the pan 0.133 source (you could replace the wget step by using a web browser to check it is the correct pan site, of course): cd ~/Documents wget http://pan.rebelbase.com/download/releases/0.133/source/pan-0.133.tar.gz tar -xf pan-0.133.tar.gz cd pan-0.133/ Then configure and build the basic version of pan 0.133 with this: ./configure make After a couple of minutes, hopefully it will have built correctly. Then I edited the decoder source file to apply the fix: - gedit pan/tasks/decoder.cc + gedit pan/tasks/decoder.cc Go to line 137 (e.g. Ctrl+I and enter 137) and add the IGNMODE step so it looks like this code section: UUSetMsgCallback (this, uu_log); UUSetOption (UUOPT_DESPERATE, 1, NULL); // keep incompletes; they're useful to par2 UUSetOption (UUOPT_IGNMODE, 1, NULL); // don't save file as executable UUSetBusyCallback (this, uu_busy_poll, 500); // .5 secs busy poll? Save decoder.cc (e.g. Ctrl+S) and then build the new version with: - make + make This should be much quicker. Finally, it can be installed with this: sudo cp /usr/bin/pan /usr/bin/pan-0.132 sudo cp pan/gui/pan /usr/bin/pan If you start pan the menu Help -> About should now report Pan 0.133 ** Visibility changed to: Public -- Pan saves some files as executable https://bugs.launchpad.net/bugs/374097 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
