Debian Security Advisory

DSA-1643-1 feta -- insecure temp file handling

Date Reported:
05 Oct 2008
Affected Packages:
feta
Vulnerable:
Yes
Security database references:
In the Debian bugtracking system: Bug 496397.
In Mitre's CVE dictionary: CVE-2008-4440.
More information:

Dmitry E. Oboukhov discovered that the "to-upgrade" plugin of Feta, a simpler interface to APT, dpkg, and other Debian package tools creates temporary files insecurely, which may lead to local denial of service through symlink attacks.

For the stable distribution (etch), this problem has been fixed in version 1.4.15+etch1.

For the unstable distribution (sid), this problem has been fixed in version 1.4.16+nmu1.

We recommend that you upgrade your feta package.

Fixed in:

Debian GNU/Linux 4.0 (etch)

Source:
http://security.debian.org/pool/updates/main/f/feta/feta_1.4.15+etch1.dsc
http://security.debian.org/pool/updates/main/f/feta/feta_1.4.15+etch1.tar.gz
Architecture-independent component:
http://security.debian.org/pool/updates/main/f/feta/feta_1.4.15+etch1_all.deb

MD5 checksums of the listed files are available in the original advisory.