On snein 27 Septimber 2009, Paul Wise wrote:
> Package: merkaartor
> Version: 0.14+svnfixes~20090912-1
> Severity: important
> Tags: security
>
> Found a minor symlink attack in merkaartor. It allows a local attacker
> to append the contents of the merkaartor log file to arbitrary files
> owned by the user running merkaartor.

Thanks for reporting. Some observations:
* applies to squeeze/sid but not lenny.
* merkaartor does not run as root so this is not a critical issue.

Uploading a fix to sid (and bpo?), perhaps with bumped urgency, would clear 
the issue.


cheers,
Thijs

Attachment: signature.asc
Description: This is a digitally signed message part.

Reply via email to