Debian Security Advisory
DSA-1764-1 tunapie -- several vulnerabilities
- Date Reported:
- 07 Apr 2009
- Affected Packages:
- Security database references:
- In Mitre's CVE dictionary: CVE-2009-1253, CVE-2009-1254.
- More information:
Several vulnerabilities have been discovered in Tunapie, a GUI frontend to video and radio streams. The Common Vulnerabilities and Exposures project identifies the following problems:
Kees Cook discovered that insecure handling of temporary files may lead to local denial of service through symlink attacks.
Mike Coleman discovered that insufficient escaping of stream URLs may lead to the execution of arbitrary commands if a user is tricked into opening a malformed stream URL.
For the old stable distribution (etch), these problems have been fixed in version 1.3.1-1+etch2. Due to a technical problem, this update cannot be released synchronously with the stable (lenny) version, but will appear soon.
For the stable distribution (lenny), these problems have been fixed in version 2.1.8-2.
For the unstable distribution (sid), these problems will be fixed soon.
We recommend that you upgrade your tunapie package.
- Fixed in:
Debian GNU/Linux 5.0 (lenny)
- Architecture-independent component:
MD5 checksums of the listed files are available in the original advisory.