Security Information / 2014 / Security Information -- DSA-3048-1 apt

Debian Security Advisory

DSA-3048-1 apt -- security update

Date Reported:

08 Oct 2014

Affected Packages:

apt

Vulnerable:

Yes

Security database references:

In the Debian bugtracking system: Bug 763780.
In Mitre's CVE dictionary: CVE-2014-7206.

More information:

Guillem Jover discovered that the changelog retrieval functionality in apt-get used temporary files in an insecure way, allowing a local user to cause arbitrary files to be overwritten.

This vulnerability is neutralized by the fs.protected_symlinks setting in the Linux kernel, which is enabled by default in Debian 7 Wheezy and up.

For the stable distribution (wheezy), this problem has been fixed in version 0.9.7.9+deb7u6.

For the unstable distribution (sid), this problem has been fixed in version 1.0.9.2.

We recommend that you upgrade your apt packages.