Progeny Security Advisory: Older versions of NEdit make insecure use of temp filesApr 27, 2001, 15:42 (0 Talkback[s])
From: Progeny Security Team <firstname.lastname@example.org> Subject: PROGENY-SA-2001-10: Older versions of NEdit make insecure use of temp files Date: 27 Apr 2001 10:28:36 -0500
Synopsis: Older versions of NEdit make insecure use of temp files
Affects: Progeny Debian (nedit prior to 5.1.1-1.0progeny1) Progeny Only: NO
Vendor-Status: New Version Released 5.1.1-1.0progeny1
$Id: PROGENY-SA-2001-10,v 1.1 2001/04/27 15:09:05 jdaily Exp $
NEdit, a popular GUI editor, insecurely opens a file in /tmp for printing purposes. This vulnerability could be used by a local attacker to cause a privileged user to unwittingly overwrite a file (via a symbolic link) to which the user has write access.
SOLUTION (See also: UPDATING VIA APT-GET)
If you have NEdit installed, upgrade to a fixed version of nedit. nedit version 5.1.1-1.0progeny1 corrects the problem. For your convenience, you may upgrade to the new package.
If you aren't sure if you have NEdit installed, type:
dpkg -l nedit
...at a command prompt. If you don't have it installed, you can disregard this warning.
UPDATING VIA APT-GET
1. Ensure that your /etc/apt/sources.list file has a URI for Progeny's update repository:
deb http://archive.progeny.com/progeny updates/newton/
2. Update your cache of available packages for apt(8).
# apt-get update
3. Using apt(8), install the new package. apt(8) will download the update, verify its integrity with md5, and then install the package on your system with dpkg(8).
# apt-get install nedit
UPDATING VIA DPKG
1. Using your preferred FTP/HTTP client to retrieve the following updated files from Progeny's update archive at:
MD5 Checksum Filename -------------------------------- ------------------------------------- 142a511170fbf30ce2881d362787658a nedit_5.1.1-1.0progeny1_i386.deb/
2. Use the md5sum command on the retrieved files to verify that they match the md5sum provided in this advisory:
# md5sum nedit_5.1.1-1.0progeny1_i386.deb
3. Then install the replacement package(s) using the dpkg command.
# dpkg --install nedit_5.1.1-1.0progeny1_i386.deb
Other than removing the nedit software, no known workaround exists for this vulnerability.
Progeny advisories can be found at http://www.progeny.com/security/.
pub 1024D/F92D4D1F 2001-04-04 Progeny Security Team <email@example.com>