Bugzilla – Bug 81068
VUL-0: CVE-2005-1349: perl-Convert-UUlib buffer overflow
Last modified: 2021-11-08 16:39:30 UTC
We received the following report via bugtraq. The issue is public. Apparently an entry in the upstream changelog made gentoo aware of the problem: http://bugs.gentoo.org/show_bug.cgi?id=89501 Date: Tue, 26 Apr 2005 21:54:40 +0200 From: Sune Kloppenborg Jeppesen <jaervosz@gentoo.org> To: gentoo-announce@gentoo.org Cc: bugtraq@securityfocus.com, full-disclosure@lists.grok.org.uk, security-alerts@linuxsecurity.com Subject: [ GLSA 200504-26 ] Convert-UUlib: Buffer overflow - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 200504-26 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: Convert-UUlib: Buffer overflow Date: April 26, 2005 Bugs: #89501 ID: 200504-26 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======== A buffer overflow has been reported in Convert-UUlib, potentially resulting in the execution of arbitrary code. Background ========== Convert-UUlib provides a Perl interface to the uulib library, allowing Perl applications to access data encoded in a variety of formats. Affected packages ================= ------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- 1 dev-perl/Convert-UUlib < 1.051 >= 1.051 Description =========== A vulnerability has been reported in Convert-UUlib where a malformed parameter can be provided by an attacker allowing a read operation to overflow a buffer. The vendor credits Mark Martinec and Robert Lewis with the discovery. Impact ====== Successful exploitation would permit an attacker to run arbitrary code with the privileges of the user running the Perl application. Workaround ========== There is no known workaround at this time. Resolution ========== All Convert-UUlib users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=dev-perl/Convert-UUlib-1.051" Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-200504-26.xml Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at http://bugs.gentoo.org. License ======= Copyright 2005 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.0
SM-Tracker-1096
I have submitted patches for: INFO: perl-Convert-UUlib present in /work/src/done/9.1/perl-Convert-UUlib INFO: perl-Convert-UUlib present in /work/src/done/9.2/perl-Convert-UUlib INFO: perl-Convert-UUlib present in /work/src/done/9.3/perl-Convert-UUlib INFO: perl-Convert-UUlib present in /work/src/done/SLES8/perl-Convert-UUlib Thank you Ludwig !
We also need patches for 9.0 and 8.2 as they are still maintained.
I just found out it's got CAN-2005-1349, please add that to the changelog instead of the swampid.
I have added.
What about the older packages mentioned by Ludwig in comment #3?
I have submitted too.
Ok, reopen for tracking
packages approved
Oops, somehow missed sles8-i386. Strange. I'll create and checkin a patchinfo just for sles8-i386. Sorry guys...
(forgot to reopen...)
Should we approve it without QA-testing?
http://w2d.suse.de/abuildstat/patchinfo/pending/9694e5c78f8a8e62b8088a9e5a050dc7
no. we could raise the SWAMP prio though or just wait until it gets to the top of the prio list.
released for sles8 now too.
CVE-2005-1349: CVSS v2 Base Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)