Please find out which part of KDE embeds this code... ----- Forwarded message from Marco d'Itri <md@linux.it> ----- Subject: Bug#480972: vulnerable to symlink attacks Reply-To: Marco d'Itri <md@linux.it>, 480972@bugs.debian.org From: Marco d'Itri <md@linux.it> To: Debian Bug Tracking System <submit@bugs.debian.org> Package: libuu-dev Version: 0.5.20-3 Severity: critical Tags: security upstream Security team: libuu-dev is a static-only library (see #216593). klibido, nget and slrn build-depend on libuu-dev, while libconvert-uulib-perl and kde (I don't know exactly which package, look in the kdesupport directory) contain an embedded copy. Pan has an embedded copy too, but it's modified and does not contain this code. This code in uulib/uunconc.c is vulnerable to symlink attacks. if ((data->binfile = tempnam (NULL, "uu")) == NULL) { UUMessage (uunconc_id, __LINE__, UUMSG_ERROR, uustring (S_NO_TEMP_NAME)); return UURET_NOMEM; } if ((dataout = fopen (data->binfile, mode)) == NULL) { -- ciao, Marco ----- End forwarded message ----- -- ciao, Marco
Attachment:
signature.asc
Description: Digital signature