Debian Security Advisory
DSA-279-1 metrics -- insecure temporary file creation
- Date Reported:
- 07 Apr 2003
- Affected Packages:
- Security database references:
- In the Bugtraq database (at SecurityFocus): BugTraq ID 7293.
In Mitre's CVE dictionary: CVE-2003-0202.
- More information:
Paul Szabo and Matt Zimmerman discovered two similar problems in metrics, a tools for software metrics. Two scripts in this package, "halstead" and "gather_stats", open temporary files without taking appropriate security precautions. "halstead" is installed as a user program, while "gather_stats" is only used in an auxiliary script included in the source code. These vulnerabilities could allow a local attacker to overwrite files owned by the user running the scripts, including root.
The stable distribution (woody) is not affected since it doesn't contain a metrics package anymore.
For the old stable distribution (potato) this problem has been fixed in version 1.0-1.1.
The unstable distribution (sid) is not affected since it doesn't contain a metrics package anymore.
We recommend that you upgrade your metrics package.
- Fixed in:
Debian GNU/Linux 2.2 (potato)
- Intel IA-32:
- Motorola 680x0:
- Sun Sparc:
MD5 checksums of the listed files are available in the original advisory.