Debian Security Advisory

DSA-661-2 f2c -- insecure temporary files

Date Reported:
20 Apr 2005
Affected Packages:
Security database references:
In Mitre's CVE dictionary: CVE-2005-0017, CVE-2005-0018.
More information:

Dan McMahill noticed that our advisory DSA 661-1 did not correct the multiple insecure files problem, hence, this update. For completeness below is the original advisory text:

Javier Fernández-Sanguino Peña from the Debian Security Audit project discovered that f2c and fc, which are both part of the f2c package, a fortran 77 to C/C++ translator, open temporary files insecurely and are hence vulnerable to a symlink attack. The Common Vulnerabilities and Exposures project identifies the following vulnerabilities:

  • CAN-2005-0017

    Multiple insecure temporary files in the f2c translator.

  • CAN-2005-0018

    Two insecure temporary files in the f2 shell script.

For the stable distribution (woody) and all others including testing this problem has been fixed in version 20010821-3.2.

We recommend that you upgrade your f2c package.

Fixed in:

Debian GNU/Linux 3.0 (woody)

Intel IA-32:
Intel IA-64:
Motorola 680x0:
Big endian MIPS:
Little endian MIPS:
IBM S/390:
Sun Sparc:

MD5 checksums of the listed files are available in the original advisory.

MD5 checksums of the listed files are available in the revised advisory.