Re: [Pan-users] Re: Can't get Pan Newsreader start

[Dag Ringdal]

On ti., 2008-10-28 at 23:04 +0000, Duncan wrote:
> Dag Ringdal <address@hidden> posted
> address@hidden, excerpted below, on  Tue, 28 Oct 2008
> 21:53:02 +0100:
> 
> > When I click the icon nothing happens and when I type pan in a terminal
> > I get the following error message:  pan pan: parts.cc:244: void
> > pan::Parts::set_parts(const pan::PartBatch&): Assertion `pch ==
> > part_mid_buf + part_mid_buf_len' failed. Aborted
> > 
> > Can anybody give me a hint what to do? I have tried to reinstall the
> > pakackage, but it doesn't help.
> 
> You are suffering the *.nzb buffer overflow bug as corrected in 0.133, 
> altho some distributions have just patched their 0.132 version to fix the 
> bug.  THIS IS A SECURITY VULNERABILTY, so you need to upgrade.  As I 
> said, 0.133 has this fixed but so do some distributions' 0.132 (check the 
> changelog if you need to, but obviously whatever you're running doesn't 
> have it).  Sources are available at the pan web site if you need to 
> compile your own.  
> 
> Otherwise, if your distribution doesn't have an update, tell them to get 
> on the stick, as the bug has had a patch available for five months now 
> (late May)[1], and Charles released 0.133 on August 1.  If they're this 
> far behind in security patches... well, are you sure you've chosen the 
> best distribution for your needs?
> 
> Meanwhile, you can correct the aborted open by deleting the corrupted 
> tasks.nzb file in pan's data dir, ~/.pan2 by default (changeable by 
> pointing the PAN_HOME environmental variable at the desired directory).  
> That will allow you to run pan again, until the next time something 
> corrupts the file, anyway.  Of course, it doesn't correct the security 
> vuln.  Only updating pan to 0.133 or a patched 0.132 will fix the 
> security problem.
> 
> [1]  I'm on Gentoo, and filed Gentoo bug 224051 on May 29, the same day 
> it was reported on the pan developer list, referencing Red Hat/Fedora bug 
> 446902 as filed by the original reporter on May 16 with patch on May 27, 
> a new Gentoo ebuild was in the tree June 3, Gentoo/amd64 stable June 19, 
> Gentoo/x86 stable June 20 (tho some of the minor archs slacked).  The 
> Gentoo Linux Security Alert (GLSA) was posted July 31.
> 
I'm running Ubuntu 8.04, and I have a 0.132 version av Pan. I have a
OpenSUSE installation as well, not in the same box though, but Ubuntu is
easy to administer. 

I removed the file you mentioned and Pan is running again. Who is
reponsible to tell the tribes people at Ubuntu that the version they
have in the repository is outdated?

dagr

> Red Hat bug: https://bugzilla.redhat.com/show_bug.cgi?id=446902
> 
> Post to the pan developer list:
> http://permalink.gmane.org/gmane.comp.gnome.apps.pan.devel/1077
> 
> Gentoo bug: http://bugs.gentoo.org/show_bug.cgi?id=224051
> 
> Gnome bug: http://bugzilla.gnome.org/show_bug.cgi?id=535413
> 
> CVE security reference:
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2363
> 
> LWN alert tracker page (listing Gentoo (July 31) and Mandriva (Sept 22) 
> as having alerts, so far):
> http://lwn.net/Articles/292407/
> 
> SuSE has an update as seen on LWN, but it was grouped so LWN apparently 
> missed listing it on the page above (June 13, FASTEST):
> http://lwn.net/Articles/286067/
> 
> Interesting.  Altho the original bug was filed against Fedora on Red 
> Hat's bugzilla, they've been sitting on it with no bug activity since 
> June 2.  Of course, it's an Extras package, and before the 0.133 bugfix 
> release upstream, additional patches were needed to compile for F9, but 
> the bugfix release was August 1, and there's no activity.  Maybe it's 
> fixed without closing the bug?  Or maybe that's what you're running. 
> <shrug>
> 
> As mentioned above, SuSE was the fastest on this one.  I worked with 
> OpenSuSE's Dan Rahn on a different bug/patch (updating pan to compile 
> with newer glib) and from my impression he's pretty sharp and on the 
> ball, so it's really little surprise they were first on this one.
>