[Pan-users] Re: Can't get Pan Newsreader start

[Duncan]

Dag Ringdal <address@hidden> posted
address@hidden, excerpted below, on  Tue, 28 Oct 2008
21:53:02 +0100:

> When I click the icon nothing happens and when I type pan in a terminal
> I get the following error message:  pan pan: parts.cc:244: void
> pan::Parts::set_parts(const pan::PartBatch&): Assertion `pch ==
> part_mid_buf + part_mid_buf_len' failed. Aborted
> 
> Can anybody give me a hint what to do? I have tried to reinstall the
> pakackage, but it doesn't help.

You are suffering the *.nzb buffer overflow bug as corrected in 0.133, 
altho some distributions have just patched their 0.132 version to fix the 
bug.  THIS IS A SECURITY VULNERABILTY, so you need to upgrade.  As I 
said, 0.133 has this fixed but so do some distributions' 0.132 (check the 
changelog if you need to, but obviously whatever you're running doesn't 
have it).  Sources are available at the pan web site if you need to 
compile your own.  

Otherwise, if your distribution doesn't have an update, tell them to get 
on the stick, as the bug has had a patch available for five months now 
(late May)[1], and Charles released 0.133 on August 1.  If they're this 
far behind in security patches... well, are you sure you've chosen the 
best distribution for your needs?

Meanwhile, you can correct the aborted open by deleting the corrupted 
tasks.nzb file in pan's data dir, ~/.pan2 by default (changeable by 
pointing the PAN_HOME environmental variable at the desired directory).  
That will allow you to run pan again, until the next time something 
corrupts the file, anyway.  Of course, it doesn't correct the security 
vuln.  Only updating pan to 0.133 or a patched 0.132 will fix the 
security problem.

[1]  I'm on Gentoo, and filed Gentoo bug 224051 on May 29, the same day 
it was reported on the pan developer list, referencing Red Hat/Fedora bug 
446902 as filed by the original reporter on May 16 with patch on May 27, 
a new Gentoo ebuild was in the tree June 3, Gentoo/amd64 stable June 19, 
Gentoo/x86 stable June 20 (tho some of the minor archs slacked).  The 
Gentoo Linux Security Alert (GLSA) was posted July 31.

Red Hat bug: https://bugzilla.redhat.com/show_bug.cgi?id=446902

Post to the pan developer list:
http://permalink.gmane.org/gmane.comp.gnome.apps.pan.devel/1077

Gentoo bug: http://bugs.gentoo.org/show_bug.cgi?id=224051

Gnome bug: http://bugzilla.gnome.org/show_bug.cgi?id=535413

CVE security reference:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2363

LWN alert tracker page (listing Gentoo (July 31) and Mandriva (Sept 22) 
as having alerts, so far):
http://lwn.net/Articles/292407/

SuSE has an update as seen on LWN, but it was grouped so LWN apparently 
missed listing it on the page above (June 13, FASTEST):
http://lwn.net/Articles/286067/

Interesting.  Altho the original bug was filed against Fedora on Red 
Hat's bugzilla, they've been sitting on it with no bug activity since 
June 2.  Of course, it's an Extras package, and before the 0.133 bugfix 
release upstream, additional patches were needed to compile for F9, but 
the bugfix release was August 1, and there's no activity.  Maybe it's 
fixed without closing the bug?  Or maybe that's what you're running. 
<shrug>

As mentioned above, SuSE was the fastest on this one.  I worked with 
OpenSuSE's Dan Rahn on a different bug/patch (updating pan to compile 
with newer glib) and from my impression he's pretty sharp and on the 
ball, so it's really little surprise they were first on this one.

-- 
Duncan - List replies preferred.   No HTML msgs.
"Every nonfree program has a lord, a master --
and if you use the program, he is your master."  Richard Stallman