UUDeview: Insecure temporary file creation

UUDeview: Insecure temporary file creation A vulnerability in UUDeview may allow local attackers to conduct symlink attacks. nzbget uudeview August 11, 2008 August 11, 2008: 01 222275 224193 local 0.5.20-r1 0.5.20-r1 0.4.0 0.4.0

UUdeview is encoder and decoder supporting various binary formats. NZBGet is a command-line based binary newsgrabber supporting .nzb files.

UUdeview makes insecure usage of the tempnam() function when creating temporary files. NZBGet includes a copy of the vulnerable code.

A local attacker could exploit this vulnerability to overwrite arbitrary files on the system.

There is no known workaround at this time.

All UUDview users should upgrade to the latest version:


    # emerge --sync
    # emerge --ask --oneshot --verbose ">=app-text/uudeview-0.5.20-r1"

All NZBget users should upgrade to the latest version:


    # emerge --sync
    # emerge --ask --oneshot --verbose ">=news-nntp/nzbget-0.4.0"

CVE-2008-2266 p-y p-y p-y