UUDeview: Insecure temporary file creation — GLSA 200808-11

A vulnerability in UUDeview may allow local attackers to conduct symlink attacks.

Affected packages

app-text/uudeview on all architectures
Affected versions < 0.5.20-r1
Unaffected versions >= 0.5.20-r1
news-nntp/nzbget on all architectures
Affected versions < 0.4.0
Unaffected versions >= 0.4.0

Background

UUdeview is encoder and decoder supporting various binary formats. NZBGet is a command-line based binary newsgrabber supporting .nzb files.

Description

UUdeview makes insecure usage of the tempnam() function when creating temporary files. NZBGet includes a copy of the vulnerable code.

Impact

A local attacker could exploit this vulnerability to overwrite arbitrary files on the system.

Workaround

There is no known workaround at this time.

Resolution

All UUDview users should upgrade to the latest version:

 # emerge --sync
 # emerge --ask --oneshot --verbose ">=app-text/uudeview-0.5.20-r1"

All NZBget users should upgrade to the latest version:

 # emerge --sync
 # emerge --ask --oneshot --verbose ">=news-nntp/nzbget-0.4.0"

References

Release date
August 11, 2008

Latest revision
August 11, 2008: 01

Severity
normal

Exploitable
local

Bugzilla entries