Pan: User-assisted execution of arbitrary code

1. Gentoo Linux Security Advisory

Advisory Reference	GLSA 200807-15 / pan
Release Date	July 31, 2008
Latest Revision	July 31, 2008: 01
Impact	normal
Exploitable	remote

Package	Vulnerable versions	Unaffected versions	Architecture(s)
net-nntp/pan	< 0.132-r3	>= 0.132-r3, revision >= 0.14.2.91-r2, = 0.14.2	All supported architectures

Related bugreports: #224051

Synopsis

A buffer overflow vulnerability in Pan may allow remote attacker to execute arbitrary code.

2. Impact Information

Background

Pan is a newsreader for the GNOME desktop.

Description

Pavel Polischouk reported a boundary error in the PartsBatch class when processing .nzb files.

Impact

A remote attacker could entice a user to open a specially crafted .nzb file, possibly resulting in the remote execution of arbitrary code with the privileges of the user running the application.

3. Resolution Information

Workaround

There is no known workaround at this time.

Resolution

All Pan users should upgrade to the latest version:

Code Listing 3.1: Resolution

# emerge --sync
# emerge --ask --oneshot --verbose ">=net-nntp/pan-0.132-r3"

4. References

CVE-2008-2363

Updated July 31, 2008

Summary: This is a Gentoo Linux Security Advisory

Security Team
Contact Address

Donate to support our development efforts.