Re: [SECURITY] [DSA 575-1] New catdoc packages fix temporary file vulnerability

To: debian-security@lists.debian.org
Subject: Re: [SECURITY] [DSA 575-1] New catdoc packages fix temporary file vulnerability
From: Wolfgang Pfeiffer <roto@gmx.net>
Date: Thu, 28 Oct 2004 19:32:59 +0200
Message-id: <[🔎] 1098984779.1622.16.camel@debby>
In-reply-to: <m1CNAnf-000pvOC@finlandia.Infodrom.North.DE>
References: <m1CNAnf-000pvOC@finlandia.Infodrom.North.DE>

On Thu, 2004-10-28 at 15:58 +0200, Martin Schulze wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> - --------------------------------------------------------------------------
> Debian Security Advisory DSA 575-1                     security@debian.org
> http://www.debian.org/security/                             Martin Schulze
> October 28th, 2004                      http://www.debian.org/security/faq
> - --------------------------------------------------------------------------
> 
> Package        : catdoc
> Vulnerability  : insecure temporary file
> Problem-Type   : local
> Debian-specific: no
> CVE ID         : CAN-2003-0193
> Debian Bug     : 183525
> 
> A temporary file problem has been discovered in xlsview from the
> catdoc suite, convertors from Word to TeX and plain text, which could
> lead to local users being able to overwrite arbitrary files via a
> symlink attack on predictable temporary file names.
> 
> For the stable distribution (woody) this problem has been fixed in
> version 0.91.5-1.woody3.
> 
> For the unstable distribution (sid) this problem has been fixed in
> version 0.91.5-2.
> 
> We recommend that you upgrade your catdoc package.

                            [ ... ]

Hi

I tried to find the package you were reporting about, and I could not
find it anywhere in the Debian repositories:

<http://packages.debian.org/cgi-bin/search_packages.pl?version=all&subword=1&exact=&arch=any&releases=all&case=insensitive&keywords=catdog&searchon=all>

Actually there is neither an xlsview nor a catdog reference in the
Debian repositories, or that's at least what the Debian packages search
engine makes me believe. Provided I didn't make a mistake ...

The problem above is one I sometimes run into the last time, IIRC, when
trying to read your reports: So this time I thought I 'll write
you ... :)

What I really would need would be understandable information on which
Debian packages are concerned in respect of security issues ... 

Thanks a lot in anticipation for considering the above.

And thanks a lot for countless lots of instances where your work helped
me maintain my OS secure.
Thanks again.

Best Regards
Wolfgang 
-- 
Wolfgang Pfeiffer                           gpg ID: 0AA7E825 
Profile, links: http://profiles.yahoo.com/wolfgangpfeiffer

Reply to:

Follow-Ups:
- Re: [SECURITY] [DSA 575-1] New catdoc packages fix temporary file vulnerability
  - From: Michael Stone <mstone@debian.org>
- Re: [SECURITY] [DSA 575-1] New catdoc packages fix temporary file vulnerability
  - From: "Adam D. Barratt" <debian-security@adam-barratt.org.uk>

Prev by Date: Niestety nie mogę odpowiedzieć na tą wiadomość, jestem na urlopie.
Next by Date: Re: [SECURITY] [DSA 575-1] New catdoc packages fix temporary file vulnerability
Previous by thread: Re: owner for /dev/vcsa*
Next by thread: Re: [SECURITY] [DSA 575-1] New catdoc packages fix temporary file vulnerability
Index(es):
- Date
- Thread