blob: 2e20cf95d086e70854c14058e3c0ce9b8565a018 [file] [log] [blame]
<?xml version="1.0" encoding="utf-8"?>
<glsa id="200501-42">
<title>VDR: Arbitrary file overwriting issue</title>
VDR insecurely accesses files with elevated privileges, which may result in
the overwriting of arbitrary files.
<product type="ebuild">VDR</product>
<announced>January 30, 2005</announced>
<revised>January 30, 2005: 01</revised>
<package name="media-video/vdr" auto="yes" arch="*">
<unaffected range="ge">1.2.6-r1</unaffected>
<vulnerable range="lt">1.2.6-r1</vulnerable>
Video Disk Recorder (VDR) is a Linux-based digital video recorder.
The VDR program handles the On Screen Menu system that offers complete
control over channel settings, timers and recordings.
Javier Fernandez-Sanguino Pena from the Debian Security Audit Team
discovered that VDR accesses user-controlled files insecurely.
<impact type="normal">
A local attacker could create malicious links and invoke a VDR
recording that would overwrite arbitrary files on the system.
There is no known workaround at this time.
All VDR users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose &quot;&gt;=media-video/vdr-1.2.6-r1&quot;</code>
<uri link="">CAN-2005-0071</uri>
<metadata tag="requester" timestamp="Sat, 29 Jan 2005 10:22:04 +0000">
<metadata tag="bugReady" timestamp="Sat, 29 Jan 2005 10:59:05 +0000">
<metadata tag="submitter" timestamp="Sat, 29 Jan 2005 11:54:01 +0000">