Debian Security Advisory

DSA-901-1 gnump3d -- programming error

Date Reported:
19 Nov 2005
Affected Packages:
Security database references:
In Mitre's CVE dictionary: CVE-2005-3349, CVE-2005-3355.
More information:

Several vulnerabilities have been discovered in gnump3d, a streaming server for MP3 and OGG files. The Common Vulnerabilities and Exposures Project identifies the following problems:

  • CVE-2005-3349

    Ludwig Nussel discovered several temporary files that are created with predictable filenames in an insecure fashion and allows local attackers to craft symlink attacks.

  • CVE-2005-3355

    Ludwig Nussel discovered that the theme parameter to HTTP requests may be used for path traversal.

The old stable distribution (woody) does not contain a gnump3d package.

For the stable distribution (sarge) these problems have been fixed in version 2.9.3-1sarge3.

For the unstable distribution (sid) these problems have been fixed in version 2.9.8-1.

We recommend that you upgrade your gnump3 package.

Fixed in:

Debian GNU/Linux 3.1 (sarge)

Architecture-independent component:

MD5 checksums of the listed files are available in the original advisory.