Debian Security Advisory
DSA-342-1 mozart -- unsafe mailcap configuration
- Date Reported:
- 07 Jul 2003
- Affected Packages:
- mozart
- Vulnerable:
- Yes
- Security database references:
- In the Bugtraq database (at SecurityFocus): BugTraq ID 8125.
In Mitre's CVE dictionary: CVE-2003-0538. - More information:
-
mozart, a development platform based on the Oz language, includes MIME configuration data which specifies that Oz applications should be passed to the Oz interpreter for execution. This means that file managers, web browsers, and other programs which honor the mailcap file could automatically execute Oz programs downloaded from untrusted sources. Thus, a malicious Oz program could execute arbitrary code under the uid of a user running a MIME-aware client program if the user selected a file (for example, choosing a link in a web browser).
For the stable distribution (woody) this problem has been fixed in version 1.2.3.20011204-3woody1.
For the unstable distribution (sid) this problem has been fixed in version 1.2.5.20030212-2.
We recommend that you update your mozart package.
- Fixed in:
-
Debian GNU/Linux 3.0 (woody)
- Source:
- http://security.debian.org/pool/updates/main/m/mozart/mozart_1.2.3.20011204-3woody1.dsc
- http://security.debian.org/pool/updates/main/m/mozart/mozart_1.2.3.20011204-3woody1.diff.gz
- http://security.debian.org/pool/updates/main/m/mozart/mozart_1.2.3.20011204.orig.tar.gz
- http://security.debian.org/pool/updates/main/m/mozart/mozart_1.2.3.20011204-3woody1.diff.gz
- Architecture-independent component:
- http://security.debian.org/pool/updates/main/m/mozart/mozart-doc-html_1.2.3.20011204-3woody1_all.deb
- Intel IA-32:
- http://security.debian.org/pool/updates/main/m/mozart/mozart_1.2.3.20011204-3woody1_i386.deb
- http://security.debian.org/pool/updates/main/m/mozart/mozart-contrib_1.2.3.20011204-3woody1_i386.deb
- http://security.debian.org/pool/updates/main/m/mozart/mozart-contrib_1.2.3.20011204-3woody1_i386.deb
- Motorola 680x0:
- http://security.debian.org/pool/updates/main/m/mozart/mozart_1.2.3.20011204-3woody1_m68k.deb
- http://security.debian.org/pool/updates/main/m/mozart/mozart-contrib_1.2.3.20011204-3woody1_m68k.deb
- http://security.debian.org/pool/updates/main/m/mozart/mozart-contrib_1.2.3.20011204-3woody1_m68k.deb
- PowerPC:
- http://security.debian.org/pool/updates/main/m/mozart/mozart_1.2.3.20011204-3woody1_powerpc.deb
- http://security.debian.org/pool/updates/main/m/mozart/mozart-contrib_1.2.3.20011204-3woody1_powerpc.deb
- http://security.debian.org/pool/updates/main/m/mozart/mozart-contrib_1.2.3.20011204-3woody1_powerpc.deb
- Sun Sparc:
- http://security.debian.org/pool/updates/main/m/mozart/mozart_1.2.3.20011204-3woody1_sparc.deb
- http://security.debian.org/pool/updates/main/m/mozart/mozart-contrib_1.2.3.20011204-3woody1_sparc.deb
- http://security.debian.org/pool/updates/main/m/mozart/mozart-contrib_1.2.3.20011204-3woody1_sparc.deb
MD5 checksums of the listed files are available in the original advisory.