Re: [SECURITY] [DSA 945-1] New antiword packages fix insecure temporary file creation
- To: debian-security@lists.debian.org
- Subject: Re: [SECURITY] [DSA 945-1] New antiword packages fix insecure temporary file creation
- From: Stefan Wiens <s.wi@gmx.net>
- Date: Tue, 17 Jan 2006 23:26:51 +0100
- Message-id: <[🔎] 873bjmsel9.fsf@xenon.eswe.dyndns.org>
- In-reply-to: <m1Eysq2-000p5OC@finlandia.Infodrom.North.DE> (joey@infodrom.org's message of "Tue, 17 Jan 2006 16:33:38 +0100 (CET)")
- References: <m1Eysq2-000p5OC@finlandia.Infodrom.North.DE>
* Martin Schulze wrote:
> --------------------------------------------------------------------------
> Debian Security Advisory DSA 945-1 security@debian.org
> http://www.debian.org/security/ Martin Schulze
> January 17th, 2006 http://www.debian.org/security/faq
> --------------------------------------------------------------------------
>
> Package : antiword
> Vulnerability : insecure temporary file
> Problem type : local
> Debian-specific: no
> CVE ID : CVE-2005-3126
>
> Javier Fernández-Sanguino Peña from the Debian Security Audit project
> discovered that two scripts in antiword, utilities to convert Word
> files to text and Postscript, create a temporary file in an insecure
> fashion.
>
> For the old stable distribution (woody) these problems have been fixed in
> version 0.32-2woody0.
I have reported this problem on Tue, 16 Nov 2004, bug ID #281656.
As the qouting of $out_file and $err_file is still insufficient, the
fix solves #281656 only partially.
Stefan Wiens
Reply to: