Executive Summary
| Summary | |
|---|---|
| Title | New tunapie packages fix several vulnerabilities |
| Informations | |||
|---|---|---|---|
| Name | DSA-1764 | First vendor Publication | 2009-04-07 |
| Vendor | Debian | Last vendor Modification | 2009-04-07 |
| Severity (Vendor) | N/A | Revision | 1 |
Security-Database Scoring CVSS v3
| Cvss vector : N/A | |||
|---|---|---|---|
| Overall CVSS Score | NA | ||
| Base Score | NA | Environmental Score | NA |
| impact SubScore | NA | Temporal Score | NA |
| Exploitabality Sub Score | NA | ||
| Calculate full CVSS 3.0 Vectors scores | |||
Security-Database Scoring CVSS v2
| Cvss vector : (AV:N/AC:M/Au:N/C:P/I:P/A:P) | |||
|---|---|---|---|
| Cvss Base Score | 6.8 | Attack Range | Network |
| Cvss Impact Score | 6.4 | Attack Complexity | Medium |
| Cvss Expoit Score | 8.6 | Authentication | None Required |
| Calculate full CVSS 2.0 Vectors scores | |||
Detail
| Several vulnerabilities have been discovered in Tunapie, a GUI frontend to video and radio streams. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2009-1253 Kees Cook discovered that insecure handling of temporary files may lead to local denial of service through symlink attacks. CVE-2009-1254 Mike Coleman discovered that insufficient escaping of stream URLs may lead to the execution of arbitrary commands if a user is tricked into opening a malformed stream URL. For the old stable distribution (etch), these problems have been fixed in version 1.3.1-1+etch2. Due to a technical problem, this update cannot be released synchronously with the stable (lenny) version, but will appear soon. For the stable distribution (lenny), these problems have been fixed in version 2.1.8-2. For the unstable distribution (sid), these problems will be fixed soon. We recommend that you upgrade your tunapie package. |
Original Source
| Url : http://www.debian.org/security/2009/dsa-1764 |
CWE : Common Weakness Enumeration
| % | Id | Name |
|---|---|---|
| 50 % | CWE-59 | Improper Link Resolution Before File Access ('Link Following') |
| 50 % | CWE-20 | Improper Input Validation |
OVAL Definitions
| Definition Id: oval:org.mitre.oval:def:13336 | |||
| Oval ID: | oval:org.mitre.oval:def:13336 | ||
| Title: | DSA-1764-1 tunapie -- several | ||
| Description: | Several vulnerabilities have been discovered in Tunapie, a GUI frontend to video and radio streams. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2009-1253 Kees Cook discovered that insecure handling of temporary files may lead to local denial of service through symlink attacks. CVE-2009-1254 Mike Coleman discovered that insufficient escaping of stream URLs may lead to the execution of arbitrary commands if a user is tricked into opening a malformed stream URL. For the old stable distribution, these problems have been fixed in version 1.3.1-1+etch2. Due to a technical problem, this update cannot be released synchronously with the stable version, but will appear soon. For the stable distribution, these problems have been fixed in version 2.1.8-2. For the unstable distribution , these problems will be fixed soon. We recommend that you upgrade your tunapie package. | ||
| Family: | unix | Class: | patch |
| Reference(s): | DSA-1764-1 CVE-2009-1253 CVE-2009-1254 | Version: | 5 |
| Platform(s): | Debian GNU/Linux 5.0 | Product(s): | tunapie |
| Definition Synopsis: | |||
| Definition Id: oval:org.mitre.oval:def:8185 | |||
| Oval ID: | oval:org.mitre.oval:def:8185 | ||
| Title: | DSA-1764 tunapie -- several vulnerabilities | ||
| Description: | Several vulnerabilities have been discovered in Tunapie, a GUI frontend to video and radio streams. The Common Vulnerabilities and Exposures project identifies the following problems: Kees Cook discovered that insecure handling of temporary files may lead to local denial of service through symlink attacks. Mike Coleman discovered that insufficient escaping of stream URLs may lead to the execution of arbitrary commands if a user is tricked into opening a malformed stream URL. | ||
| Family: | unix | Class: | patch |
| Reference(s): | DSA-1764 CVE-2009-1253 CVE-2009-1254 | Version: | 3 |
| Platform(s): | Debian GNU/Linux 5.0 | Product(s): | tunapie |
| Definition Synopsis: | |||
CPE : Common Platform Enumeration
| Type | Description | Count |
|---|---|---|
| Application | 1 |
OpenVAS Exploits
| Date | Description |
|---|---|
| 2009-04-15 | Name : Debian Security Advisory DSA 1764-1 (tunapie) File : nvt/deb_1764_1.nasl |
Open Source Vulnerability Database (OSVDB)
| Id | Description |
|---|---|
| 53427 | Tunapie Stream URL Shell Metacharacter Arbitrary Remote Command Execution |
| 53426 | Tunapie Unspecified Temporary File Symlink Arbitrary File Overwrite |
Nessus® Vulnerability Scanner
| Date | Description |
|---|---|
| 2009-04-09 | Name : The remote Debian host is missing a security-related update. File : debian_DSA-1764.nasl - Type : ACT_GATHER_INFO |
Alert History
| Date | Informations |
|---|---|
| 2014-02-17 11:28:21 |
|
