Free and open-source vulnerability scanner

Mageni eases for you the vulnerability scanning, assessment, and management process. It is free and open-source.

Install Now

Available for macOS, Windows, and Linux

App screenshot

Debian Security Advisory DSA 202-2 (im)

Information

Severity

Severity

Low

Family

Family

Debian Local Security Checks

CVSSv2 Base

CVSSv2 Base

2.1

CVSSv2 Vector

CVSSv2 Vector

AV:L/AC:L/Au:N/C:N/I:P/A:N

Solution Type

Solution Type

Vendor Patch

Created

Created

16 years ago

Modified

Modified

6 years ago

Summary

The remote host is missing an update to im announced via advisory DSA 202-2.

Insight

Insight

Despite popular belief, the IM packages are not architecture independent, since the number of the fsync syscal is detected on build time and this number differs on Linux architectures and other operating systems. As a result of this the optional feature ``NoSync=no'' does only work on the architecture the package was built on. As usual, we are including the text of the original advisory DSA 202-1: Tatsuya Kinoshita discovered that IM, which contains interface commands and Perl libraries for E-mail and NetNews, creates temporary files insecurely. 1. The impwagent program creates a temporary directory in an insecure manner in /tmp using predictable directory names without checking the return code of mkdir, so it's possible to seize a permission of the temporary directory by local access as another user. 2. The immknmz program creates a temporary file in an insecure manner in /tmp using a predictable filename, so an attacker with local access can easily create and overwrite files as another user. This problem has been fixed in version 141-18.2 for the current stable distribution (woody), in version 133-2.3 of the old stable distribution (potato). A correection is expected for the unstable distribution (sid) soon. We recommend that you upgrade your IM package.

Solution

Solution

https://secure1.securityspace.com/smysecure/catid.html?in=DSA%20202-2

Common Vulnerabilities and Exposures (CVE)