- Date Reported:
- 01 Feb 2000
- Affected Packages:
- apcd
- Vulnerable:
- Yes
- For more information:
- The apcd package as shipped in Debian GNU/Linux 2.1 is
vulnerable to a symlink attack. If the apcd process gets a SIGUSR1 signal it
will dump its status to /tmp/upsstat. However this file is not opened safely,
which makes it a good target for a symlink attack.
This has been fixed in version 0.6a.nr-4slink1. We recommend you upgrade your apcd package immediately.
- Fixed in:
- source:
- https://security.debian.org/dists/stable/updates/source/apcd_0.6a.nr-4slink1.diff.gz
- https://security.debian.org/dists/stable/updates/source/apcd_0.6a.nr-4slink1.dsc
- https://security.debian.org/dists/stable/updates/source/apcd_0.6a.nr.orig.tar.gz
- alpha:
- https://security.debian.org/dists/stable/updates/binary-alpha/apcd_0.6a.nr-4slink1_alpha.deb
- i386:
- https://security.debian.org/dists/stable/updates/binary-i386/apcd_0.6a.nr-4slink1_i386.deb
- m68k:
- https://security.debian.org/dists/stable/updates/binary-m68k/apcd_0.6a.nr-4slink1_m68k.deb
- sparc:
- https://security.debian.org/dists/stable/updates/binary-sparc/apcd_0.6a.nr-4slink1_sparc.deb
apcd: symlink attack in apcd
The apcd package as shipped in Debian GNU/Linux 2.1 is vulnerable to a symlink attack. If the apcd process gets a SIGUSR1 signal it will dump its status to /tmp/upsstat. However this file is not opened safely, which makes it a good target for a symlink attack. This has been fixed in version 0.6a.nr-4slink1. We recommend you upgrade your apcd package immediately.
