|
Family: Ubuntu Local Security Checks --> Category: infos
USN100-1 : cdrtools vulnerability Vulnerability Scan
Vulnerability Scan Summary cdrtools vulnerability
Detailed Explanation for this Vulnerability Test
Synopsis :
These remote packages are missing security patches :
- cdda2wav
- cdrecord
- cdrtools-doc
- mkisofs
Description :
Javier Fernández-Sanguino Peña noticed that cdrecord created temporary
files in an insecure manner if DEBUG was enabled in
/etc/cdrecord/rscsi. If the default value was used (which stored the
debug output file in /tmp), this could allow a symbolic link attack to
create or overwrite arbitrary files with the rights of the user
invoking cdrecord.
Please note that DEBUG is not enabled by default in Ubuntu, so if you
did not explicitly enable it, this does not affect you.
Solution :
Upgrade to :
- cdda2wav-2.0+a30.pre1-1ubuntu2.2 (Ubuntu 4.10)
- cdrecord-2.0+a30.pre1-1ubuntu2.2 (Ubuntu 4.10)
- cdrtools-doc-2.0+a30.pre1-1ubuntu2.2 (Ubuntu 4.10)
- mkisofs-2.0+a30.pre1-1ubuntu2.2 (Ubuntu 4.10)
Threat Level: High
Click HERE for more information and discussions on this network vulnerability scan.
|