Mandriva Security Advisory - Gnucash versions 2.0.4 and earlier allow local users to overwrite arbitrary files via a symlink attack on the (1) gnucash.trace, (2) qof.trace, and (3) qof.trace.[PID] temporary files.
a58312ea11bca49f80632cb080975f3666c49fff60f447bae1c065dca11d66b2
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
_______________________________________________________________________
Mandriva Linux Security Advisory MDKSA-2007:046
http://www.mandriva.com/security/
_______________________________________________________________________
Package : gnucash
Date : February 21, 2007
Affected: 2007.0
_______________________________________________________________________
Problem Description:
Gnucash 2.0.4 and earlier allows local users to overwrite arbitrary
files via a symlink attack on the (1) gnucash.trace, (2) qof.trace,
and (3) qof.trace.[PID] temporary files.
Updated package have been patched to correct this issue.
_______________________________________________________________________
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0007
_______________________________________________________________________
Updated Packages:
Mandriva Linux 2007.0:
a8b619c62b08ffe1a0a94123450c9182 2007.0/i586/gnucash-2.0.1-1.1mdv2007.0.i586.rpm
4670eabd1f6b6ac60d6c0fa6bbf86fae 2007.0/i586/gnucash-hbci-2.0.1-1.1mdv2007.0.i586.rpm
071c5a28526cc29b99d47485d95b5115 2007.0/i586/gnucash-ofx-2.0.1-1.1mdv2007.0.i586.rpm
fa58ac7785e11552ad48bc35427ee689 2007.0/i586/gnucash-sql-2.0.1-1.1mdv2007.0.i586.rpm
3f8f689dd645e73822bd5baa6ba4db1f 2007.0/i586/libgnucash0-2.0.1-1.1mdv2007.0.i586.rpm
336f63153412b508077cc655d6ce9e76 2007.0/i586/libgnucash0-devel-2.0.1-1.1mdv2007.0.i586.rpm
ae715153145554dab009d40e68148ce7 2007.0/SRPMS/gnucash-2.0.1-1.1mdv2007.0.src.rpm
Mandriva Linux 2007.0/X86_64:
5e30146412acbec8657a8f4590146279 2007.0/x86_64/gnucash-2.0.1-1.1mdv2007.0.x86_64.rpm
725b0c74c9335e4698e634ebc34788da 2007.0/x86_64/gnucash-hbci-2.0.1-1.1mdv2007.0.x86_64.rpm
15c729b3a02cef72a3b1e019a2a17415 2007.0/x86_64/gnucash-ofx-2.0.1-1.1mdv2007.0.x86_64.rpm
00724c0891a6e67973c6c9bce8dc25a3 2007.0/x86_64/gnucash-sql-2.0.1-1.1mdv2007.0.x86_64.rpm
db2b23ba27b6651b0452cfa7463b8e4e 2007.0/x86_64/lib64gnucash0-2.0.1-1.1mdv2007.0.x86_64.rpm
c97bf9c1d352b89f59572c1762fd5930 2007.0/x86_64/lib64gnucash0-devel-2.0.1-1.1mdv2007.0.x86_64.rpm
ae715153145554dab009d40e68148ce7 2007.0/SRPMS/gnucash-2.0.1-1.1mdv2007.0.src.rpm
_______________________________________________________________________
To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.
All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:
gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98
You can view other update advisories for Mandriva Linux at:
http://www.mandriva.com/security/advisories
If you want to report vulnerabilities, please contact
security_(at)_mandriva.com
_______________________________________________________________________
Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
<security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iD8DBQFF3DLMmqjQ0CJFipgRAt2RAKCCzmFjfyOFGghSbGds6VJADW06SgCeOBxk
83o9HUJXkIavyn7zZX2Re+w=
=4LLz
-----END PGP SIGNATURE-----
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed