Debian Security Advisory

DSA-1329-1 gfax -- insecure temporary files

Date Reported:

05 Jul 2007

Affected Packages:

gfax

Vulnerable:

Yes

Security database references:

In Mitre's CVE dictionary: CVE-2007-2839.

More information:

Steve Kemp from the Debian Security Audit project discovered that gfax, a GNOME frontend for fax programs, uses temporary files in an unsafe manner which may be exploited to execute arbitrary commands with the privileges of the root user.

For the old stable distribution (sarge) this problem has been fixed in version 0.4.2-11sarge1.

The stable distribution (etch) is not affected by this problem.

The unstable distribution (sid) is not affected by this problem.

We recommend that you upgrade your gfax package.

Fixed in:

Debian GNU/Linux 3.1 alias sarge

Source:: http://security.debian.org/pool/updates/main/g/gfax/gfax_0.4.2.orig.tar.gz; http://security.debian.org/pool/updates/main/g/gfax/gfax_0.4.2-11sarge1.diff.gz; http://security.debian.org/pool/updates/main/g/gfax/gfax_0.4.2-11sarge1.dsc
alpha architecture (DEC Alpha): http://security.debian.org/pool/updates/main/g/gfax/gfax_0.4.2-11sarge1_alpha.deb
amd64 architecture (AMD x86_64 (AMD64)): http://security.debian.org/pool/updates/main/g/gfax/gfax_0.4.2-11sarge1_amd64.deb
arm architecture (ARM): http://security.debian.org/pool/updates/main/g/gfax/gfax_0.4.2-11sarge1_arm.deb
i386 architecture (Intel ia32): http://security.debian.org/pool/updates/main/g/gfax/gfax_0.4.2-11sarge1_i386.deb
ia64 architecture (Intel ia64): http://security.debian.org/pool/updates/main/g/gfax/gfax_0.4.2-11sarge1_ia64.deb
m68k architecture (Motorola Mc680x0): http://security.debian.org/pool/updates/main/g/gfax/gfax_0.4.2-11sarge1_m68k.deb
s390 architecture (IBM S/390): http://security.debian.org/pool/updates/main/g/gfax/gfax_0.4.2-11sarge1_s390.deb
sparc architecture (Sun SPARC/UltraSPARC): http://security.debian.org/pool/updates/main/g/gfax/gfax_0.4.2-11sarge1_sparc.deb

MD5 checksums of the listed files are available in the original advisory.