Debian Security Advisory

apcd -- symlink attack in apcd

Date Reported:

01 Feb 2000

Affected Packages:

apcd

Vulnerable:

Yes

Security database references:

In Mitre's CVE dictionary: CVE-2000-0107.

More information:

The apcd package as shipped in Debian GNU/Linux 2.1 is vulnerable to a symlink attack. If the apcd process gets a SIGUSR1 signal it will dump its status to /tmp/upsstat. However this file is not opened safely, which makes it a good target for a symlink attack.

This has been fixed in version 0.6a.nr-4slink1. We recommend you upgrade your apcd package immediately.

Fixed in:

Source:: http://security.debian.org/dists/stable/updates/source/apcd_0.6a.nr-4slink1.diff.gz; http://security.debian.org/dists/stable/updates/source/apcd_0.6a.nr-4slink1.dsc; http://security.debian.org/dists/stable/updates/source/apcd_0.6a.nr.orig.tar.gz
alpha:: http://security.debian.org/dists/stable/updates/binary-alpha/apcd_0.6a.nr-4slink1_alpha.deb
i386:: http://security.debian.org/dists/stable/updates/binary-i386/apcd_0.6a.nr-4slink1_i386.deb
m68k:: http://security.debian.org/dists/stable/updates/binary-m68k/apcd_0.6a.nr-4slink1_m68k.deb
sparc:: http://security.debian.org/dists/stable/updates/binary-sparc/apcd_0.6a.nr-4slink1_sparc.deb