Please find out which part of KDE embeds this code... ----- Forwarded message from Marco d'Itri <[EMAIL PROTECTED]> -----
Subject: Bug#480972: vulnerable to symlink attacks
Reply-To: Marco d'Itri <[EMAIL PROTECTED]>, [EMAIL PROTECTED]
From: Marco d'Itri <[EMAIL PROTECTED]>
To: Debian Bug Tracking System <[EMAIL PROTECTED]>
Package: libuu-dev
Version: 0.5.20-3
Severity: critical
Tags: security upstream
Security team: libuu-dev is a static-only library (see #216593).
klibido, nget and slrn build-depend on libuu-dev, while
libconvert-uulib-perl and kde (I don't know exactly which package,
look in the kdesupport directory) contain an embedded copy.
Pan has an embedded copy too, but it's modified and does not contain
this code.
This code in uulib/uunconc.c is vulnerable to symlink attacks.
if ((data->binfile = tempnam (NULL, "uu")) == NULL) {
UUMessage (uunconc_id, __LINE__, UUMSG_ERROR,
uustring (S_NO_TEMP_NAME));
return UURET_NOMEM;
}
if ((dataout = fopen (data->binfile, mode)) == NULL) {
--
ciao,
Marco
----- End forwarded message -----
--
ciao,
Marco
signature.asc
Description: Digital signature
