GLSA Advocate
Joined: 12 May 2004 Posts: 2663
|
Posted: Mon Aug 11, 2008 7:26 pm Post subject: [ GLSA 200808-11 ] UUDeview: Insecure temporary file creatio |
|
|
Gentoo Linux Security Advisory
Title: UUDeview: Insecure temporary file creation (GLSA 200808-11)
Severity: normal
Exploitable: local
Date: August 11, 2008
Bug(s): #222275, #224193
ID: 200808-11
Synopsis
A vulnerability in UUDeview may allow local attackers to conduct symlink attacks.
Background
UUdeview is encoder and decoder supporting various binary formats. NZBGet is a command-line based binary newsgrabber supporting .nzb files.
Affected Packages
Package: app-text/uudeview
Vulnerable: < 0.5.20-r1
Unaffected: >= 0.5.20-r1
Architectures: All supported architectures
Package: news-nntp/nzbget
Vulnerable: < 0.4.0
Unaffected: >= 0.4.0
Architectures: All supported architectures
Description
UUdeview makes insecure usage of the tempnam() function when creating temporary files. NZBGet includes a copy of the vulnerable code.
Impact
A local attacker could exploit this vulnerability to overwrite arbitrary files on the system.
Workaround
There is no known workaround at this time.
Resolution
All UUDview users should upgrade to the latest version: Code: | # emerge --sync
# emerge --ask --oneshot --verbose ">=app-text/uudeview-0.5.20-r1" | All NZBget users should upgrade to the latest version: Code: | # emerge --sync
# emerge --ask --oneshot --verbose ">=news-nntp/nzbget-0.4.0" |
References
CVE-2008-2266 |
|