CVE-2014-1638
Published: 28 January 2014
(1) debian/postrm and (2) debian/localepurge.config in localepurge before 0.7.3.2 use tempfile to create a safe temporary file but appends a suffix to the original filename and writes to this new filename, which allows local users to overwrite arbitrary files via a symlink attack on the new filename.
Priority
Status
Package | Release | Status |
---|---|---|
localepurge Launchpad, Ubuntu, Debian |
vivid |
Not vulnerable
(0.7.3.2)
|
lucid |
Ignored
(end of life)
|
|
precise |
Ignored
(end of life)
|
|
quantal |
Ignored
(end of life)
|
|
saucy |
Ignored
(end of life)
|
|
trusty |
Does not exist
(trusty was not-affected [0.7.3.2])
|
|
upstream |
Released
(0.7.3.2)
|
|
utopic |
Not vulnerable
(0.7.3.2)
|
|
wily |
Not vulnerable
(0.7.3.2)
|
|
xenial |
Not vulnerable
(0.7.3.2)
|
|
yakkety |
Not vulnerable
(0.7.3.2)
|
|
zesty |
Not vulnerable
(0.7.3.2)
|
References
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1638
- http://xforce.iss.net/xforce/xfdb/90669
- http://www.openwall.com/lists/oss-security/2014/01/22/4
- http://www.openwall.com/lists/oss-security/2014/01/22/3
- http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=736359
- NVD
- Launchpad
- Debian