diff --git a/data/DTSA/hints/neilm b/data/DTSA/hints/neilm index c29865d51984271fdfcc805fb9fc889b2439f83b..1e6c9225bd4853d89a735cb41bdd38660b04f36e 100644 --- a/data/DTSA/hints/neilm +++ b/data/DTSA/hints/neilm @@ -8,3 +8,4 @@ sync uim/1:0.4.7-2.0etch1 sync centericq/4.21.0-6.0etch1 sync inkscape/0.43-0.0etch1 sync smb4k/0.6.4-0.0etch1 +sync trackballs/1.1.1-0.0etch1 diff --git a/data/DTSA/list b/data/DTSA/list index 0cb835247957efc044e0191269982f4ed8cd02e1..80f55f292fdc9d99f097d0ee1296d39108126eb1 100644 --- a/data/DTSA/list +++ b/data/DTSA/list @@ -70,3 +70,6 @@ [December 5th, 2005] DTSA-25-1 smb4k - access validation error {CVE-2005-2851 } - smb4k 0.6.4-0.0etch1 +[December 5th, 2005] DTSA-26-1 trackballs - symlink attack + { } + - trackballs 1.1.1-0.0etch1 diff --git a/website/DTSA/DTSA-26-1.html b/website/DTSA/DTSA-26-1.html new file mode 100644 index 0000000000000000000000000000000000000000..4f09401af41d227ecabf40ddfca375cf9d311fb8 --- /dev/null +++ b/website/DTSA/DTSA-26-1.html @@ -0,0 +1,91 @@ + + + Debian testing security team - Advisory + + + + +
+ + + + + Debian Project +
+
+ + + + + + + + + + + +
+ Debian testing security team - Advisory +
+ + +
+ + +

DTSA-26-1

+
+
Date Reported:
+
December 5th, 2005
+
Affected Package:
+
trackballs
+
Vulnerability:
+
symlink attack
+
Problem-Scope:
+
remote/local
+
Debian-specific:
+
No
+
CVE:
+
+None +
+
More information:
+
Ulf Harnhammar notices that that trackballs follows symlinks when running as 
+gid games. It writes to files such as $HOME/.trackballs/[USERNAME].gmr and 
+$HOME/.trackballs/settings without checking if they are symlinks somewhere 
+else. This can be abused for overwriting or creating files wherever the games 
+group is allowed to do so. 
+
+
For the testing distribution (etch) this is fixed in version 1.1.1-0.0etch1
+
For the unstable distribution (sid) this is fixed in version 1.1.1-1
+
This upgrade is recommended if you use trackballs.
+
If you have the secure testing lines in your sources.list, you can update by running this command as root:
+ +
apt-get update && apt-get upgrade
+
+ +
+
To use the Debian testing security archive, add the following lines to your /etc/apt/sources.list:
+
+
deb http://secure-testing-mirrors.debian.net/debian-secure-testing etch-proposed-updates/security-updates main contrib non-free
+
deb-src http://secure-testing-mirrors.debian.net/debian-secure-testing etch-proposed-updates/security-updates main contrib non-free
+
+
The archive signing key can be downloaded from
+
http://secure-testing.debian.net/ziyi-2005-7.asc
+ +
+ + +
+ + Valid HTML 4.01! + + Valid CSS! + + + + diff --git a/website/list.html b/website/list.html index bac33666714be9aa25908d377d7582f24a7005a5..8c97d4b44a0f6eccad92557d362bc92e07d99162 100644 --- a/website/list.html +++ b/website/list.html @@ -85,6 +85,8 @@
buffer overflow
[December 5th, 2005] DTSA-25-1 smb4k
access validation error
+
[December 5th, 2005] DTSA-26-1 trackballs
+
symlink attack