Detections
Analytics
Debian DSA-1022-1 : storebackup - several vulnerabilities
medium Nessus Plugin ID 22564
Synopsis
The remote Debian host is missing a security-related update.Description
Several vulnerabilities have been discovered in the backup utility storebackup. The Common Vulnerabilities and Exposures project identifies the following problems :- CVE-2005-3146 Storebackup creates a temporary file predictably, which can be exploited to overwrite arbitrary files on the system with a symlink attack.
- CVE-2005-3147 The backup root directory wasn't created with fixed permissions, which may lead to inproper permissions if the umask is too lax.
- CVE-2005-3148 The user and group rights of symlinks are set incorrectly when making or restoring a backup, which may leak sensitive data.
Solution
Upgrade the storebackup package.The old stable distribution (woody) doesn't contain storebackup packages.
For the stable distribution (sarge) these problems have been fixed in version 1.18.4-2sarge1.
See Also
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=332434
https://security-tracker.debian.org/tracker/CVE-2005-3146
https://security-tracker.debian.org/tracker/CVE-2005-3147
Plugin Details
Severity: Medium
ID: 22564
File Name: debian_DSA-1022.nasl
Version: 1.16
Type: local
Agent: unix
Family: Debian Local Security Checks
Published: 10/14/2006
Updated: 1/4/2021
Supported Sensors: Frictionless Assessment Agent, Nessus Agent, Agentless Assessment, Continuous Assessment, Nessus
Risk Information
VPR
Risk Factor: Medium
Score: 4.7
CVSS v2
Risk Factor: Medium
Base Score: 4.6
Vector: CVSS2#AV:L/AC:L/Au:N/C:P/I:P/A:P
Vulnerability Information
CPE: p-cpe:/a:debian:debian_linux:storebackup, cpe:/o:debian:debian_linux:3.1
Required KB Items: Host/local_checks_enabled, Host/Debian/release, Host/Debian/dpkg-l
Patch Publication Date: 4/4/2006
Vulnerability Publication Date: 8/5/2005
Reference Information
CVE: CVE-2005-3146, CVE-2005-3147, CVE-2005-3148
DSA: 1022