Debian Security Advisory DSA 202-2 (im)

Published: 2008-01-17 21:28:10
CVE Author: NIST National Vulnerability Database (NVD)

CVSS Base Vector:
AV:L/AC:L/Au:N/C:N/I:P/A:N

Recommendations:
https://secure1.securityspace.com/smysecure/catid.html?in=DSA%20202-2

Technical Details:
Despite popular belief, the IM Linux Distribution Packages are not architecture independent, since the number of the fsync syscal is detected on build time and this number differs on Linux architectures and other operating systems. As a result of this the optional feature ``NoSync=no'' does only work on the architecture the Linux Distribution Package was built on. As usual, we are including the text of the original advisory DSA 202-1: Tatsuya Kinoshita discovered that IM, which contains interface commands and Perl libraries for E-mail and NetNews, creates temporary files insecurely. 1. The impwagent program creates a temporary directory in an insecure manner in /tmp using predictable directory names without checking the return code of mkdir, so it's possible to seize a permission of the temporary directory by local access as another user. 2. The immknmz program creates a temporary file in an insecure manner in /tmp using a predictable filename, so an attacker with local access can easily create and overwrite files as another user. This problem has been fixed in version 141-18.2 for the current stable distribution (woody), in version 133-2.3 of the old stable distribution (potato). A correection is expected for the unstable distribution (sid) soon. We recommend that you upgrade your IM Linux Distribution Package.

Summary:
The remote host is missing an update to im announced via advisory DSA 202-2.

Detection Type:
Linux Distribution Package

Solution Type:
Vendor Patch

NIST (National Institute of Standards and Technology) NVD (National Vulnerability Database)

https://nvd.nist.gov/vuln/detail/CVE-2002-1395

Search
Severity
Low
CVSS Score
2.1

You never have to pay for a vulnerability scanning and management software again.

Tired of paying a subscription 'per asset' or 'per IP'? Well you can officially cancel your current subscription. Mageni provides a free, open source and enterprise-ready vulnerability scanning and management platform which helps you to find, prioritize, remediate and manage your vulnerabilities. It is free and always will be.