Debian Security Advisory
nvi -- incorrect file removal in boot script
- Date Reported:
- 08 Jan 2000
- Affected Packages:
- nvi
- Vulnerable:
- Yes
- Security database references:
- In Mitre's CVE dictionary: CVE-2000-0076.
- More information:
- The version of nvi that was distributed with Debian
GNU/Linux 2.1 has an error in the default /etc/init.d/nviboot script: it did
not handle filenames with embedded spaces correctly. This made it possible to
remove files in the root directory by creating entries in /var/tmp/vi.recover.
This has been fixed in version 1.79-9.1 . We recommend you upgrade your nvi package immediately.
If you use a customized version of nviboot please make sure your version does not suffer from this problem. If you upgrade dpkg will offer to replace it with the new safe version if needed.
- Fixed in:
-
- Source:
- http://security.debian.org/dists/slink/updates/source/nvi_1.79-9.1.diff.gz
- http://security.debian.org/dists/slink/updates/source/nvi_1.79-9.1.dsc
- http://security.debian.org/dists/slink/updates/source/nvi_1.79.orig.tar.gz
- alpha:
- http://security.debian.org/dists/slink/updates/binary-alpha/nvi_1.79-9.1_alpha.deb
- i386:
- http://security.debian.org/dists/slink/updates/binary-i386/nvi_1.79-9.1_i386.deb
- m68k:
- http://security.debian.org/dists/slink/updates/binary-m68k/nvi_1.79-9.1_m68k.deb
- sparc:
- http://security.debian.org/dists/slink/updates/binary-sparc/nvi_1.79-9.1_sparc.deb