Package: libuu-dev Version: 0.5.20-3 Severity: critical Tags: security upstream
Security team: libuu-dev is a static-only library (see #216593).
klibido, nget and slrn build-depend on libuu-dev, while
libconvert-uulib-perl and kde (I don't know exactly which package,
look in the kdesupport directory) contain an embedded copy.
Pan has an embedded copy too, but it's modified and does not contain
this code.
This code in uulib/uunconc.c is vulnerable to symlink attacks.
if ((data->binfile = tempnam (NULL, "uu")) == NULL) {
UUMessage (uunconc_id, __LINE__, UUMSG_ERROR,
uustring (S_NO_TEMP_NAME));
return UURET_NOMEM;
}
if ((dataout = fopen (data->binfile, mode)) == NULL) {
--
ciao,
Marco
signature.asc
Description: Digital signature
