Debian Security Advisory
DSA-292-3 mime-support -- insecure temporary file creation
- Date Reported:
- 22 Apr 2003
- Affected Packages:
- mime-support
- Vulnerable:
- Yes
- Security database references:
- In Mitre's CVE dictionary: CVE-2003-0214.
- More information:
-
Colin Phipps discovered several problems in mime-support, that contains support programs for the MIME control files 'mime.types' and 'mailcap'. When a temporary file is to be used it is created insecurely, allowing an attacker to overwrite arbitrary under the user id of the person executing run-mailcap.
When run-mailcap is executed on a file with a potentially problematic filename, a temporary file is created (not insecurely anymore), removed and a symbolic link to this filename is created. An attacker could recreate the file before the symbolic link is created, forcing the display program to display different content.
For the stable distribution (woody) these problems have been fixed in version 3.18-1.3.
For the old stable distribution (potato) these problems have been fixed in version 3.9-1.3.
For the unstable distribution (sid) these problems have been fixed in version 3.23-1.
We recommend that you upgrade your mime-support packages.
- Fixed in:
-
Debian GNU/Linux 2.2 (potato)
- Source:
- http://security.debian.org/pool/updates/main/m/mime-support/mime-support_3.9-1.3.dsc
- http://security.debian.org/pool/updates/main/m/mime-support/mime-support_3.9-1.3.tar.gz
- http://security.debian.org/pool/updates/main/m/mime-support/mime-support_3.9-1.3.tar.gz
- Architecture-independent component:
- http://security.debian.org/pool/updates/main/m/mime-support/mime-support_3.9-1.3_all.deb
Debian GNU/Linux 3.0 (woody)
- Source:
- http://security.debian.org/pool/updates/main/m/mime-support/mime-support_3.18-1.3.dsc
- http://security.debian.org/pool/updates/main/m/mime-support/mime-support_3.18-1.3.tar.gz
- http://security.debian.org/pool/updates/main/m/mime-support/mime-support_3.18-1.3.tar.gz
- Architecture-independent component:
- http://security.debian.org/pool/updates/main/m/mime-support/mime-support_3.18-1.3_all.deb
MD5 checksums of the listed files are available in the original advisory.
MD5 checksums of the listed files are available in the revised advisory.
MD5 checksums of the listed files are available in the revised advisory.