The apcd package as shipped in Debian GNU/Linux 2.1 is vulnerable to a symlink attack. If the apcd process gets a SIGUSR1 signal it will dump its status to /tmp/upsstat. However this file is not opened safely, which makes it a good target for a symlink attack. This has been fixed in version 0.6a.nr-4slink1. We recommend you upgrade your apcd package immediately.

Date Reported:

01 Feb 2000

Affected Packages:

apcd

Vulnerable:

Yes

For more information:

The apcd package as shipped in Debian GNU/Linux 2.1 is vulnerable to a symlink attack. If the apcd process gets a SIGUSR1 signal it will dump its status to /tmp/upsstat. However this file is not opened safely, which makes it a good target for a symlink attack.

This has been fixed in version 0.6a.nr-4slink1. We recommend you upgrade your apcd package immediately.

Fixed in:

source:

http://security.debian.org/dists/stable/updates/source/apcd_0.6a.nr-4slink1.diff.gz

http://security.debian.org/dists/stable/updates/source/apcd_0.6a.nr-4slink1.dsc

http://security.debian.org/dists/stable/updates/source/apcd_0.6a.nr.orig.tar.gz

alpha:

http://security.debian.org/dists/stable/updates/binary-alpha/apcd_0.6a.nr-4slink1_alpha.deb

i386:

http://security.debian.org/dists/stable/updates/binary-i386/apcd_0.6a.nr-4slink1_i386.deb

m68k:

http://security.debian.org/dists/stable/updates/binary-m68k/apcd_0.6a.nr-4slink1_m68k.deb

sparc:

http://security.debian.org/dists/stable/updates/binary-sparc/apcd_0.6a.nr-4slink1_sparc.deb