Debian Security Advisory

DSA-446-1 synaesthesia -- insecure file creation

Date Reported:
21 Feb 2004
Affected Packages:
Security database references:
In the Bugtraq database (at SecurityFocus): BugTraq ID 9713.
In Mitre's CVE dictionary: CVE-2004-0160.
More information:

Ulf Härnhammar from the Debian Security Audit Project discovered a vulnerability in synaesthesia, a program which represents sounds visually. synaesthesia created its configuration file while holding root privileges, allowing a local user to create files owned by root and writable by the user's primary group. This type of vulnerability can usually be easily exploited to execute arbitrary code with root privileges by various means.

For the current stable distribution (woody) this problem has been fixed in version 2.1-2.1woody1.

The unstable distribution (sid) is not affected by this problem, because synaesthesia is no longer setuid.

We recommend that you update your synaesthesia package.

Fixed in:

Debian GNU/Linux 3.0 (woody)

Intel IA-32:
Intel IA-64:
Motorola 680x0:
Big endian MIPS:
IBM S/390:
Sun Sparc:

MD5 checksums of the listed files are available in the original advisory.