Skip Menu |

This queue is for tickets about the Convert-UUlib CPAN distribution.

Report information
The Basics
Id: 6050
Status: resolved
Priority: 0/
Queue: Convert-UUlib
People
Owner: Nobody in particular
Requestors: Nicolas.Mailhot [...] laPoste.net
Cc:
AdminCc:
Bug Information
Severity: Important
Broken in:
  • 0.201
  • 0.2
  • 0.21
  • 0.211
  • 0.212
  • 0.213
  • 0.3
  • 0.31
  • 1.0
  • 1.01
Fixed in: (no value)

History Show all quoted text
  Sun Apr 18 15:04:51 2004 Guest - Ticket created
Subject: Convert-UUlib security vuln ?
Please note all Convert-UUlib versions ship with a built-in uudeview lib that's vulnerable according to: http://www.securityfocus.com/bid/9758 See also: http://bugzilla.fedora.us/show_bug.cgi?id=375
  Sun Apr 18 16:00:39 2004 pcg [...] goof.com - Correspondence added
Date: Sun, 18 Apr 2004 22:00:43 +0200
From: <pcg [...] goof.com ( Marc) (A.) (Lehmann )>
To: Guest via RT <bug-Convert-UUlib [...] rt.cpan.org>
CC: undisclosed-recipients: ;
Subject: Re: [cpan #6050] Convert-UUlib security vuln ?
RT-Send-Cc:
On Sun, Apr 18, 2004 at 03:04:52PM -0400, Guest via RT <bug-Convert-UUlib@rt.cpan.org> wrote: Show quoted text
> Please note all Convert-UUlib versions ship with a built-in uudeview lib that's vulnerable according to: > > http://www.securityfocus.com/bid/9758
Are you sure that convert-uulib is vulnerable or are you just assuming it is using an unpatched uulib? According to the diffs it seems as if the version in Convert-UUlib is not vulnerable. I'll try to integrate the changes form 0.5.19-0.5.20 into convert-uulib, though, and see wether convert-uulib really is vulnerable. Thanks for the notification in any case! -- -----==- | ----==-- _ | ---==---(_)__ __ ____ __ Marc Lehmann +-- --==---/ / _ \/ // /\ \/ / pcg@goof.com |e| -=====/_/_//_/\_,_/ /_/\_\ XX11-RIPE --+ The choice of a GNU generation | |
  Sun Apr 18 16:35:15 2004 Guest - Correspondence added
Show quoted text
> Are you sure that convert-uulib is vulnerable or are you just assuming > it is using an unpatched uulib? According to the diffs it seems as if > the version in Convert-UUlib is not vulnerable.
I didn't check anything appart from the version uulib reported Since the rpm was about to be released in Fedora.us the first priority was to stop everything and check afterwards I'll package 1.03 now - by the time it's QA'd at Fedora.us you will have probably the time to find instabilities. fedora.us QA is dog-slow:(
  Sun Apr 18 16:38:03 2004 Guest - Correspondence added
BTW if you really feel your uulib version is safe you should probably add it to the list of non-affected implementations at security focus.
  Sun Apr 18 16:51:38 2004 pcg [...] goof.com - Correspondence added
Date: Sun, 18 Apr 2004 22:51:44 +0200
From: <pcg [...] goof.com ( Marc) (A.) (Lehmann )>
To: Guest via RT <bug-Convert-UUlib [...] rt.cpan.org>
CC: undisclosed-recipients: ;
Subject: Re: [cpan #6050] Convert-UUlib security vuln ?
RT-Send-Cc:
On Sun, Apr 18, 2004 at 04:38:04PM -0400, Guest via RT <bug-Convert-UUlib@rt.cpan.org> wrote: Show quoted text
> > This message about Convert-UUlib was sent to you by guest <> via rt.cpan.org > > Full context and any attached attachments can be found at: > <URL: https://rt.cpan.org/Ticket/Display.html?id=6050 > > > BTW if you really feel your uulib version is safe you should probably > add it to the list of non-affected implementations at security focus.
Thanks for the info. I never felt it was safe (I found way too many bugs in it), but I am reasonably sure it is not affected by the bug that was patched. Please note that I still recommend 1.01/1.02 for stability (and reproducability) reasons, but you are free to release 1.03, of course, it will result in more testing, if any :-> -- -----==- | ----==-- _ | ---==---(_)__ __ ____ __ Marc Lehmann +-- --==---/ / _ \/ // /\ \/ / pcg@goof.com |e| -=====/_/_//_/\_,_/ /_/\_\ XX11-RIPE --+ The choice of a GNU generation | |
  Sun Apr 18 17:10:42 2004 Guest - Correspondence added
[pcg@goof.com - Sun Apr 18 16:51:38 2004]: Show quoted text
> Please note that I still recommend 1.01/1.02 for stability (and > reproducability) reasons, but you are free to release 1.03, of course, > it > will result in more testing, if any :->
Well, since I couldn't find 1.03 and I've already spent an awful lot of time on Convert-UUlib today I've decided to trust you and propose 1.02 to Fedora.us QA:)
  Mon Apr 19 02:25:53 2004 pcg [...] goof.com - Correspondence added
Date: Mon, 19 Apr 2004 08:25:56 +0200
From: <pcg [...] goof.com ( Marc) (A.) (Lehmann )>
To: Guest via RT <bug-Convert-UUlib [...] rt.cpan.org>
CC: undisclosed-recipients: ;
Subject: Re: [cpan #6050] Convert-UUlib security vuln ?
RT-Send-Cc:
On Sun, Apr 18, 2004 at 05:10:59PM -0400, Guest via RT <bug-Convert-UUlib@rt.cpan.org> wrote: Show quoted text
> > will result in more testing, if any :->
> > Well, since I couldn't find 1.03 and I've already spent an awful lot of > time on Convert-UUlib today I've decided to trust you and propose 1.02 > to Fedora.us QA:)
I takes a few hours until an uploaded perl module gets distributed. It should be on the primary CPAN site, ftp.funet.fi, within an hour after upload, though. If I had known it's urgent I would have provided a download URL... -- -----==- | ----==-- _ | ---==---(_)__ __ ____ __ Marc Lehmann +-- --==---/ / _ \/ // /\ \/ / pcg@goof.com |e| -=====/_/_//_/\_,_/ /_/\_\ XX11-RIPE --+ The choice of a GNU generation | |
  Mon Apr 19 04:13:36 2004 Guest - Correspondence added
[pcg@goof.com - Mon Apr 19 02:25:53 2004]: Show quoted text
> I takes a few hours until an uploaded perl module gets distributed. It > should be on the primary CPAN site, ftp.funet.fi, within an hour after > upload, though. > > If I had known it's urgent I would have provided a download URL...
I was not urgent at all. Just it was getting very late in Europe;) I'll package 1.03 too now - moving from one version to another is real easy as long as the makefile behaviour do not change.
  Mon Dec 05 18:59:24 2005 MLEHMANN [...] cpan.org - Status changed from 'new' to 'resolved'