Mandrake Linux Security Advisory : cdrecord (MDKSA-2005:077)

Low Nessus Plugin ID 18107


The remote Mandrake Linux host is missing one or more security updates.


Javier Fernandez-Sanguino Pena discovered that cdrecord created temporary files in an insecure manner if DEBUG was enabled in /etc/cdrecord/rscsi. If the default value was used (which stored the debug output file in /tmp), a symbolic link attack could be used to create or overwrite arbitrary files with the privileges of the user invoking cdrecord. Please note that by default this configuration file does not exist in Mandriva Linux so unless you create it and enable DEBUG, this does not affect you.

The updated packages have been patched to correct these issues.


Update the affected packages.

See Also

Plugin Details

Severity: Low

ID: 18107

File Name: mandrake_MDKSA-2005-077.nasl

Version: $Revision: 1.13 $

Type: local

Published: 2005/04/21

Modified: 2013/05/31

Dependencies: 12634

Risk Information

Risk Factor: Low


Base Score: 2.1

Vector: CVSS2#AV:L/AC:L/Au:N/C:N/I:P/A:N

Vulnerability Information

CPE: p-cpe:/a:mandriva:linux:cdrecord, p-cpe:/a:mandriva:linux:cdrecord-cdda2wav, p-cpe:/a:mandriva:linux:cdrecord-devel, p-cpe:/a:mandriva:linux:cdrecord-isotools, p-cpe:/a:mandriva:linux:cdrecord-vanilla, p-cpe:/a:mandriva:linux:mkisofs, cpe:/o:mandrakesoft:mandrake_linux:10.0, cpe:/o:mandrakesoft:mandrake_linux:10.1, x-cpe:/o:mandrakesoft:mandrake_linux:le2005

Required KB Items: Host/local_checks_enabled, Host/cpu, Host/Mandrake/release, Host/Mandrake/rpm-list

Patch Publication Date: 2005/04/20

Reference Information

CVE: CVE-2005-0866

MDKSA: 2005:077