Login
Newsletter
Werbung

Sicherheit: Unsichere Verwendung temporärer Dateien in cdrecord
Aktuelle Meldungen Distributionen
Name: Unsichere Verwendung temporärer Dateien in cdrecord
ID: USN-100-1
Distribution: Ubuntu
Plattformen: Ubuntu 4.10
Datum: So, 27. März 2005, 13:00
Referenzen: http://bugs.debian.org/291376
Applikationen: CDRecord

Originalnachricht

===========================================================
Ubuntu Security Notice USN-100-1 March 24, 2005
cdrtools vulnerability
http://bugs.debian.org/291376
===========================================================

A security issue affects the following Ubuntu releases:

Ubuntu 4.10 (Warty Warthog)

The following packages are affected:

cdrecord

The problem can be corrected by upgrading the affected package to
version 4:2.0+a30.pre1-1ubuntu2.2. In general, a standard system
upgrade is sufficient to effect the necessary changes.

Details follow:

Javier Fernández-Sanguino Peña noticed that cdrecord created temporary
files in an insecure manner if DEBUG was enabled in
/etc/cdrecord/rscsi. If the default value was used (which stored the
debug output file in /tmp), this could allow a symbolic link attack to
create or overwrite arbitrary files with the privileges of the user
invoking cdrecord.

Please note that DEBUG is not enabled by default in Ubuntu, so if you
did not explicitly enable it, this does not affect you.

Source archives:

cdrtools_2.0+a30.pre1-1ubuntu2.2.diff.gz
Size/MD5: 106610 ecb116b3a798172cf2bacc0ea4da66ac
cdrtools_2.0+a30.pre1-1ubuntu2.2.dsc
Size/MD5: 767 62cb5678e5acb26ae30af99f932d518f
cdrtools_2.0+a30.pre1.orig.tar.gz
Size/MD5: 1703614 082abd117c60736d059ffec0997ca841

Architecture independent packages:

cdrtools-doc_2.0+a30.pre1-1ubuntu2.2_all.deb
Size/MD5: 263578 d0637afd43c64ac57a1a2f723c76b315

amd64 architecture (Athlon64, Opteron, EM64T Xeon)

cdda2wav_2.0+a30.pre1-1ubuntu2.2_amd64.deb
Size/MD5: 167916 14e2eacf9cbf98ea359e054a2b4973eb
cdrecord_2.0+a30.pre1-1ubuntu2.2_amd64.deb
Size/MD5: 587930 0885cf227459e4965c5fe15d3460b0ab
mkisofs_2.0+a30.pre1-1ubuntu2.2_amd64.deb
Size/MD5: 345540 fc3bf20dc1ee51adb4d06220d5be5af6

i386 architecture (x86 compatible Intel/AMD)

cdda2wav_2.0+a30.pre1-1ubuntu2.2_i386.deb
Size/MD5: 150710 51913b96e540e9d7716f532081390dcc
cdrecord_2.0+a30.pre1-1ubuntu2.2_i386.deb
Size/MD5: 544086 da2c20b5e9805e7328a5717a3cec8e76
mkisofs_2.0+a30.pre1-1ubuntu2.2_i386.deb
Size/MD5: 306926 8085524e3defd5e9aa21cf8f379f311c

powerpc architecture (Apple Macintosh G3/G4/G5)

cdda2wav_2.0+a30.pre1-1ubuntu2.2_powerpc.deb
Size/MD5: 167712 01103ab30ed47382880b3003a77a3e8c
cdrecord_2.0+a30.pre1-1ubuntu2.2_powerpc.deb
Size/MD5: 591270 d4153964a3c477115678032e44a84b3c
mkisofs_2.0+a30.pre1-1ubuntu2.2_powerpc.deb
Size/MD5: 348888 94e52829ee12a455517bfae4f88273ea



--
ubuntu-security-announce mailing list
ubuntu-security-announce@lists.ubuntu.com
http://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce
Pro-Linux
Gewinnspiel
Neue Nachrichten
Werbung