Pan saves some files as executable
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| pan (Ubuntu) |
Confirmed
|
Low
|
Unassigned | ||
Bug Description
This is a report of a serious security problem I found with pan 0.132, it affects all releases Ubuntu including 9.04 (and also with Pan 0.133 as shipped with Fedora-10).
The problem is that Pan obeys the original yEnc standard which preserves file permissions, thus allowing malware to be saved as executable (typically the somefilename.
The discussion of this resulted in the proposed patch to disable the preservation of file permission mask, as covered here:
http://<email address hidden>
Hopefully the Ubuntu team will implement this very soon, but following here is how I did it:
Of course, you should *think* carefully about following *any* system wide commands that involve 'sudo', and ensure you understand any commands before trying them!
First I installed Pan from the Ubuntu repository as a typical user would. I set it up with my news server (news.virginmed
Then I installed the packages needed to build Pan, first the libraries from the repository:
sudo apt-get install libpcre++-dev libgmime-2.0-2-dev libgtkspell-dev
Then I downloaded the pan 0.133 source (you could replace the wget step by using a web browser to check it is the correct pan site, of course):
cd ~/Documents
wget http://
tar -xf pan-0.133.tar.gz
cd pan-0.133/
Then configure and build the basic version of pan 0.133 with this:
./configure
make
After a couple of minutes, hopefully it will have built correctly. Then I edited the decoder source file to apply the fix:
gedit pan/tasks/
Go to line 137 (e.g. Ctrl+I and enter 137) and add the IGNMODE step so it looks like this code section:
UUSetMsgC
UUSetOption (UUOPT_DESPERATE, 1, NULL); // keep incompletes; they're useful to par2
UUSetOption (UUOPT_IGNMODE, 1, NULL); // don't save file as executable
UUSetBusy
Save decoder.cc (e.g. Ctrl+S) and then build the new version with:
make
This should be much quicker. Finally, it can be installed with this:
sudo cp /usr/bin/pan /usr/bin/pan-0.132
sudo cp pan/gui/pan /usr/bin/pan
If you start pan the menu Help -> About should now report Pan 0.133
| description: | updated |
| visibility: | private → public |
| Jamie Strandboge (jdstrand) wrote | #2 |
| visibility: | private → public |
| Changed in pan (Ubuntu): | |
| status: | New → Confirmed |
| Changed in pan (Ubuntu): | |
| importance: | Undecided → Low |
| Paul Crawford (psc-sat) wrote | #3 |
| Paul Crawford (psc-sat) wrote | #4 |
| Jamie Strandboge (jdstrand) wrote | #5 |
Changed visibility back to private, as maybe less trouble all round if Ubuntu fixes it as an package update, rather than lots of folk trying this themselves.