Executive Summary
| Summary | |
|---|---|
| Title | cdrecord vulnerability |
| Informations | |||
|---|---|---|---|
| Name | USN-100-1 | First vendor Publication | 2005-03-24 |
| Vendor | Ubuntu | Last vendor Modification | 2005-03-24 |
| Severity (Vendor) | N/A | Revision | N/A |
Security-Database Scoring CVSS v3
| Cvss vector : N/A | |||
|---|---|---|---|
| Overall CVSS Score | NA | ||
| Base Score | NA | Environmental Score | NA |
| impact SubScore | NA | Temporal Score | NA |
| Exploitabality Sub Score | NA | ||
| Calculate full CVSS 3.0 Vectors scores | |||
Security-Database Scoring CVSS v2
| Cvss vector : (AV:L/AC:L/Au:N/C:N/I:P/A:N) | |||
|---|---|---|---|
| Cvss Base Score | 2.1 | Attack Range | Local |
| Cvss Impact Score | 2.9 | Attack Complexity | Low |
| Cvss Expoit Score | 3.9 | Authentication | None Required |
| Calculate full CVSS 2.0 Vectors scores | |||
Detail
| A security issue affects the following Ubuntu releases: Ubuntu 4.10 (Warty Warthog) The following packages are affected: cdrecord The problem can be corrected by upgrading the affected package to version 4:2.0+a30.pre1-1ubuntu2.2. In general, a standard system upgrade is sufficient to effect the necessary changes. Details follow: Javier Fernández-Sanguino Peña noticed that cdrecord created temporary files in an insecure manner if DEBUG was enabled in /etc/cdrecord/rscsi. If the default value was used (which stored the debug output file in /tmp), this could allow a symbolic link attack to create or overwrite arbitrary files with the privileges of the user invoking cdrecord. Please note that DEBUG is not enabled by default in Ubuntu, so if you did not explicitly enable it, this does not affect you. |
Original Source
| Url : http://www.ubuntu.com/usn/USN-100-1 |
CPE : Common Platform Enumeration
| Type | Description | Count |
|---|---|---|
| Application | 2 |
Open Source Vulnerability Database (OSVDB)
| Id | Description |
|---|---|
| 15193 | cdrtools DEBUG Mode Symlink Privilege Escalation |
Nessus® Vulnerability Scanner
| Date | Description |
|---|---|
| 2006-01-15 | Name : The remote Ubuntu host is missing one or more security-related patches. File : ubuntu_USN-100-1.nasl - Type : ACT_GATHER_INFO |
| 2005-04-21 | Name : The remote Mandrake Linux host is missing one or more security updates. File : mandrake_MDKSA-2005-077.nasl - Type : ACT_GATHER_INFO |
Alert History
| Date | Informations |
|---|---|
| 2014-02-17 11:57:57 |
|
