Pavuk: Remote buffer overflow — GLSA 200406-22

Pavuk contains a bug potentially allowing an attacker to run arbitrary code.

Affected packages

net-misc/pavuk on all architectures
Affected versions <= 0.9.28-r1
Unaffected versions >= 0.9.28-r2

Background

Pavuk is web spider and website mirroring tool.

Description

When Pavuk connects to a web server and the server sends back the HTTP status code 305 (Use Proxy), Pavuk copies data from the HTTP Location header in an unsafe manner.

Impact

An attacker could cause a stack-based buffer overflow which could lead to arbitrary code execution with the rights of the user running Pavuk.

Workaround

There is no known workaround at this time. All users are encouraged to upgrade to the latest available version.

Resolution

All Pavuk users should upgrade to the latest stable version:

 # emerge sync
 
 # emerge -pv ">=net-misc/pavuk-0.9.28-r2"
 # emerge ">="net-misc/pavuk-0.9.28-r2

References

Release date
June 30, 2004

Latest revision
May 22, 2006: 02

Severity
high

Exploitable
remote

Bugzilla entries