LWN.net Logo

Advertisement

TrustCommerce

E-Commerce & credit card processing - the Open Source way!

Advertise here

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for January 8, 2009

Btrfs aims for the mainline

The Android Dev Phone 1

LWN.net Weekly Edition for December 25, 2008

The Grumpy Editor's 2008 retrospective

Printable page
Weekly edition Kernel Security Distributions Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ

Gentoo alert 200803-03 (audacity)



From:
    	      Pierre-Yves Rofes <py@gentoo.org>


To:
    	      gentoo-announce@lists.gentoo.org


Subject:
    	      [gentoo-announce] [ GLSA 200803-03 ] Audacity: Insecure temporary file creation


Date:
    	      Mon, 03 Mar 2008 01:15:21 +0100


Message-ID:
    	      <47CB4319.90808@gentoo.org>


Cc:
    	      full-disclosure@lists.grok.org.uk, bugtraq@securityfocus.com,
 security-alerts@linuxsecurity.com


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory                           GLSA 200803-03
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
                                            http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

  Severity: Normal
     Title: Audacity: Insecure temporary file creation
      Date: March 02, 2008
      Bugs: #199751
        ID: 200803-03

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

Audacity uses temporary files in an insecure manner, allowing for a
symlink attack.

Background
==========

Audacity is a free cross-platform audio editor.

Affected packages
=================

    -------------------------------------------------------------------
     Package               /  Vulnerable  /                 Unaffected
    -------------------------------------------------------------------
  1  media-sound/audacity     < 1.3.4-r1                   >= 1.3.4-r1

Description
===========

Viktor Griph reported that the "AudacityApp::OnInit()" method in file
src/AudacityApp.cpp does not handle temporary files properly.

Impact
======

A local attacker could exploit this vulnerability to conduct symlink
attacks to delete arbitrary files and directories with the privileges
of the user running Audacity.

Workaround
==========

There is no known workaround at this time.

Resolution
==========

All Audacity users should upgrade to the latest version:

    # emerge --sync
    # emerge --ask --oneshot --verbose ">=media-sound/audacity-1.3.4-r1"

References
==========

  [ 1 ] CVE-2007-6061
        http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6061

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

  http://security.gentoo.org/glsa/glsa-200803-03.xml

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
http://bugs.gentoo.org.

License
=======

Copyright 2008 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.5
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.7 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFHy0MZuhJ+ozIKI5gRAqIaAJ4/xcftU28JRF8y4M5j7GDfW3CsQgCfSEn7
TcXpjtDSEWTcIzwmG4rRZ3o=
=s495
-----END PGP SIGNATURE-----
-- 
gentoo-announce@lists.gentoo.org mailing list
(Log in to post comments)

Gentoo security update to audacity

Posted Mar 4, 2008 18:32 UTC (Tue) by Xanadu (guest, #1215) [Link] 

Out of curiosity, how is LWN notified of this notices?  This one for 
Audacity was a little while ago, but the message is saying it's very new.  
According to the (Gentoo) Changelog:

------------------------
*audacity-1.3.4-r1 (26 Jan 2008)

  26 Jan 2008; Alexis Ballier <aballier@gentoo.org>
  +files/CVE-2007-6061.patch, +audacity-1.3.4-r1.ebuild:
  Add a patch for temporary file vulnerablilty (CVE-2007-6061), bug 
#199751.
  It will set the default temporary file location to the user home 
directory
  add discard preferences if it is in /tmp.
------------------------

but this notice is dated March 2nd.

I'm just wondering, I'm not complaining.

Thanx,
M.

Gentoo security update to audacity

Posted Mar 4, 2008 19:20 UTC (Tue) by jake (editor, #205) [Link] 

> Out of curiosity, how is LWN notified of this notices?

We get email from gentoo-announce and/or bugtraq with the advisory.  Not sure why it would
have been delayed, perhaps it just slipped through the cracks or wasn't considered severe
enough to do a release.

jake

Gentoo security update to audacity

Posted Mar 6, 2008 17:52 UTC (Thu) by Xanadu (guest, #1215) [Link]

Cool.

It's not like Audacity is some "mission critical" app like apache or something. :-) I could see delay there.

Still, I was just wondering how you guys actually get notified of these things. Thank you for the reply and the info!

M.

Copyright © 2009, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds