Bug#453283: CVE-2007-6061: possible symlink attack

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#453283: CVE-2007-6061: possible symlink attack
From: Steffen Joeris <steffen.joeris@skolelinux.de>
Date: Wed, 28 Nov 2007 21:28:21 +1100
Message-id: <[🔎] 20071128102821.12289.61196.reportbug@hannah.debian.org>
Reply-to: Steffen Joeris <steffen.joeris@skolelinux.de>, 453283@bugs.debian.org

Package: audacity
Severity: grave
Tags: security
Justification: user security hole

Hi

The following CVE[0] has been issued against audacity.

CVE-2007-6061: 

Audacity 1.3.2 creates a temporary directory with a predictable name
without checking for previous existence of that directory, which allows
local users to cause a denial of service (recording deadlock) by
creating the directory before Audacity is run. NOTE: this issue can be
leveraged to delete arbitrary files or directories via a symlink attack.

Please mention the CVE id in your changelog, when you fix this bug.
Thanks for your efforts.

Cheers
Steffen

[0]: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6061

Reply to:

Prev by Date: Bug#453244: New upstream version 0.9
Next by Date: Bug#453283: CVE-2007-6103: remote DoS
Previous by thread: Bug#453244: New upstream version 0.9
Next by thread: Bug#453283: CVE-2007-6103: remote DoS
Index(es):
- Date
- Thread