Your message dated Fri, 23 May 2008 15:44:06 +0000 with message-id <[EMAIL PROTECTED]> and subject line Bug#480972: fixed in uudeview 0.5.20-3.1 has caused the Debian Bug report #480972, regarding CVE-2008-2266 vulnerable to symlink attacks to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact [EMAIL PROTECTED] immediately.) -- 480972: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=480972 Debian Bug Tracking System Contact [EMAIL PROTECTED] with problems
--- Begin Message ---Package: libuu-dev Version: 0.5.20-3 Severity: critical Tags: security upstream Security team: libuu-dev is a static-only library (see #216593). klibido, nget and slrn build-depend on libuu-dev, while libconvert-uulib-perl and kde (I don't know exactly which package, look in the kdesupport directory) contain an embedded copy. Pan has an embedded copy too, but it's modified and does not contain this code. This code in uulib/uunconc.c is vulnerable to symlink attacks. if ((data->binfile = tempnam (NULL, "uu")) == NULL) { UUMessage (uunconc_id, __LINE__, UUMSG_ERROR, uustring (S_NO_TEMP_NAME)); return UURET_NOMEM; } if ((dataout = fopen (data->binfile, mode)) == NULL) { -- ciao, Marco
signature.asc
Description: Digital signature
--- End Message ---
--- Begin Message ---Source: uudeview Source-Version: 0.5.20-3.1 We believe that the bug you reported is fixed in the latest version of uudeview, which is due to be installed in the Debian FTP archive: libuu-dev_0.5.20-3.1_i386.deb to pool/main/u/uudeview/libuu-dev_0.5.20-3.1_i386.deb libuu0_0.5.20-3.1_i386.deb to pool/main/u/uudeview/libuu0_0.5.20-3.1_i386.deb uudeview_0.5.20-3.1.diff.gz to pool/main/u/uudeview/uudeview_0.5.20-3.1.diff.gz uudeview_0.5.20-3.1.dsc to pool/main/u/uudeview/uudeview_0.5.20-3.1.dsc uudeview_0.5.20-3.1_i386.deb to pool/main/u/uudeview/uudeview_0.5.20-3.1_i386.deb xdeview_0.5.20-3.1_i386.deb to pool/main/u/uudeview/xdeview_0.5.20-3.1_i386.deb A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to [EMAIL PROTECTED], and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Marco d'Itri <[EMAIL PROTECTED]> (supplier of updated uudeview package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing [EMAIL PROTECTED]) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Format: 1.8 Date: Wed, 21 May 2008 01:34:35 +0200 Source: uudeview Binary: uudeview xdeview libuu0 libuu-dev Architecture: source i386 Version: 0.5.20-3.1 Distribution: unstable Urgency: high Maintainer: Chris Hanson <[EMAIL PROTECTED]> Changed-By: Marco d'Itri <[EMAIL PROTECTED]> Description: libuu-dev - Library for decoding/encoding several popular file encodings libuu0 - Library for decoding/encoding several popular file encodings uudeview - Smart multi-file multi-part decoder (command line) xdeview - Smart multi-file multi-part decoder (X11 GUI) Closes: 216593 480972 Changes: uudeview (0.5.20-3.1) unstable; urgency=high . * Non-maintainer upload. * Fixed a classical tempfile symlink attack vulnerability in libuu. Thanks to Nico Golde for the patch. (Closes: #480972) * Added a shared library package. (Closes: #216593) * Added support for dpkg-buildpackage setting $CFLAGS. * Removed no-op maintainer scripts. * Replaced the deprecated tetex dependencies with texlive-latex-base. Checksums-Sha1: fa0cf5bf1ad09145f69736fafb3891ca48fbd3f1 1047 uudeview_0.5.20-3.1.dsc 016f87232e3b47252075730a833507517f612e17 57188 uudeview_0.5.20-3.1.diff.gz 4727d8a362a109ee89f2c4ee4362acea6caadfef 49050 uudeview_0.5.20-3.1_i386.deb 4bf840729df56bbe40da8ef4c0b669eeebbce1fc 68000 xdeview_0.5.20-3.1_i386.deb f6ca1ed3696ddcade6552f826d578672bcd3d9af 72150 libuu0_0.5.20-3.1_i386.deb 27019009cd56b411196f0dd634fad078ea8d2186 64518 libuu-dev_0.5.20-3.1_i386.deb Checksums-Sha256: dc8686916966b4852219d3d34c8df5fa799ad3331bfb96df4a57f0722fd1e860 1047 uudeview_0.5.20-3.1.dsc 26078a2358d2826b3f8a47f3e9315f6f3efa7b5f7f78b1c9efe4754d2d725df6 57188 uudeview_0.5.20-3.1.diff.gz d65f8dc7670d0861766c7215cd776e3a519937710e61e6b691b644b8f647da31 49050 uudeview_0.5.20-3.1_i386.deb 43b82282757a870d80e461ce604e8cfb96e185d7149db7d16493f1cacf5c732d 68000 xdeview_0.5.20-3.1_i386.deb 49b0e8ddc9fa20011be14e7e553a7601a96fa2edb6acdf5af72f844c487a3296 72150 libuu0_0.5.20-3.1_i386.deb 08cb676dc9ebe1925a3615556ad93f44681b1c1324f735baa450125ad4aa2ee7 64518 libuu-dev_0.5.20-3.1_i386.deb Files: 6c26dce1c2f047f75a8ca03c7a1c045b 1047 utils optional uudeview_0.5.20-3.1.dsc 5078a3a430b91fb498ba50d8b58a8b29 57188 utils optional uudeview_0.5.20-3.1.diff.gz f50771d820e2af5d2c2795563a7f97b8 49050 utils optional uudeview_0.5.20-3.1_i386.deb 728a0a56a56b7794c2a80e972b63e0c0 68000 utils optional xdeview_0.5.20-3.1_i386.deb a2cd7008e6a84d8b0ef4fc6a88575517 72150 libs optional libuu0_0.5.20-3.1_i386.deb 2e4af9564dc8d96cb8a225e4db3601db 64518 libdevel optional libuu-dev_0.5.20-3.1_i386.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFIM+9IFGfw2OHuP7ERAlmbAJ4tRmegsSSc1OJNruj4CkxoXpQ4wQCaAz4k 0jfGrUkO4jiGFH00X7jsfr4= =vN9u -----END PGP SIGNATURE-----
--- End Message ---
