Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-dev

From: Daniel Ahlberg <aliz@g.o>
To: gentoo-security@g.o
Cc: gentoo-user@g.o, gentoo-dev@g.o, gentoo-desktop@g.o, gentooppc-user@g.o, gentooppc-dev@g.o, gentoo-sparc@××××××.org
Subject: [gentoo-dev] GLSA: mpack
Date: Fri, 02 Aug 2002 07:10:16
Message-Id: 200208021410.04096.aliz@gentoo.org
1 -----BEGIN PGP SIGNED MESSAGE-----
2 Hash: SHA1
3
4 - - --------------------------------------------------------------------
5 GENTOO LINUX SECURITY ANNOUNCEMENT
6 - - --------------------------------------------------------------------
7
8 PACKAGE :mpack
9 SUMMARY :remote buffer overflow
10 DATE :2002-08-02 12:15 UTC
11
12 - - --------------------------------------------------------------------
13
14 OVERVIEW
15
16 A buffer overflow in the munpack program causes the program to crash
17 and might also be used to run arbitary code.
18
19 There also exist a second vulnerability that affects malformed
20 filenams.
21
22 DETAIL
23
24 - From Debian Security Advisory DSA 141-1:
25
26 Eckehard Berns discovered a buffer overflow in the munpack program
27 which is used for decoding (respectively) binary files in MIME
28 (Multipurpose Internet Mail Extensions) format mail messages. If
29 munpack is run on an appropriately malformed email (or news article)
30 then it will crash, and perhaps can be made to run arbitrary code.
31
32 Herbert Xu reported a second vulnerability which affected malformed
33 filenames that refer to files in upper directories like "../a". The
34 security impact is limited, though, because only a single leading
35 "../" was accepted and only new files can be created (i.e. no files
36 will be overwritten).
37
38 The full Debian Security Advisory can be read at
39 http://security.debian.org
40 NOTE: The DSA was not uploaded at the time when this
41 advisory was written.
42
43 SOLUTION
44
45 It is recommended that all Gentoo Linux users update their systems as
46 follows.
47
48 emerge rsync
49 emerge mpack
50 emerge clean
51
52 - - --------------------------------------------------------------------
53 Daniel Ahlberg
54 aliz@g.o
55 - - --------------------------------------------------------------------
56 -----BEGIN PGP SIGNATURE-----
57 Version: GnuPG v1.0.7 (GNU/Linux)
58
59 iD8DBQE9SnaRfT7nyhUpoZMRAhRHAJ9/hc3+8OBchIpgK5nSOfsMbr5RrQCgnXJk
60 gZ2zyO+j5y5kdDsPRQH1qLM=
61 =h89V
62 -----END PGP SIGNATURE-----
Report Message
Find on MARC Find on Google Groups