Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-announce

From: Tim Yamin <plasmaroo@g.o>
To: bugtraq@×××××××××××××.com, full-disclosure@××××××××××××.com, security-alerts@×××××××××××××.com, gentoo-core@l.g.o, gentoo-announce@l.g.o
Subject: [gentoo-announce] [ GLSA 200403-05 ] UUDeview MIME Buffer Overflow
Date: Sun, 28 Mar 2004 15:18:03
Message-Id: 4066EC6F.8020700@gentoo.org
1 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2 Gentoo Linux Security Advisory GLSA 200403-05
3 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
4 ~ http://security.gentoo.org
5 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
6
7 ~ Severity: Normal
8 ~ Title: UUDeview MIME Buffer Overflow
9 ~ Date: March 26, 2004
10 ~ Bugs: #44859
11 ~ ID: 200403-05
12
13 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
14
15 Synopsis
16 ========
17
18 A specially-crafted MIME file (.mim, .uue, .uu, .b64, .bhx, .hqx, and
19 .xxe extensions) may cause UUDeview to crash or execute arbitrary code.
20
21 Background
22 ==========
23
24 UUDeview is a program which is used to transmit binary files over the
25 Internet in a text-only format. It is commonly used for email and Usenet
26 attachments. It supports multiple encoding formats, including Base64,
27 BinHex and UUEncoding.
28
29 Description
30 ===========
31
32 By decoding a MIME archive with excessively long strings for various
33 parameters, it is possible to crash UUDeview, or cause it to execute
34 arbitrary code.
35
36 This vulnerability was originally reported by iDEFENSE as part of a
37 WinZip advisory [ Reference: 1 ].
38
39 Impact
40 ======
41
42 An attacker could create a specially-crafted MIME file and send it via
43 email. When recipient decodes the file, UUDeview may execute arbitrary
44 code which is embedded in the MIME file, thus granting the attacker
45 access to the recipient's account.
46
47 Workaround
48 ==========
49
50 All users should upgrade to UUDeview 0.5.20:
51
52 ~ # emerge sync
53 ~ # emerge -pv ">=app-text/uudeview-0.5.20"
54 ~ # emerge ">=app-text/uudeview-0.5.20"
55
56 References
57 ==========
58
59 ~ [ 1 ] http://www.idefense.com/application/poi/display?id=76
60 ~ [ 2 ] http://www.securityfocus.com/bid/9758
61
62 Concerns?
63 =========
64
65 Security is a primary focus of Gentoo Linux and ensuring the
66 confidentiality and security of our users machines is of utmost
67 importance to us. Any security concerns should be addressed to
68 security@g.o or alternatively, you may file a bug at
69 http://bugs.gentoo.org.

Attachments

File name MIME type
signature.asc application/pgp-signature
Report Message
Find on MARC Find on Google Groups