2
Candidate: CVE-2008-3699
4
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3699
6
The MagnatuneBrowser::listDownloadComplete function in
7
magnatunebrowser/magnatunebrowser.cpp in Amarok before 1.4.10 allows local
8
users to overwrite arbitrary files via a symlink attack on the
9
album_info.xml temporary file.
12
jdstrand> Ubuntu 6.06 LTS (Dapper) does not contain the vulnerable code
13
jdstrand> amarok tries to remove the file before opening it, so there is
14
a TOCTOU vulnerability and a symlink could be inserted before open. This
15
makes the attack much harder, but still possible.
17
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=494765
23
patch: http://websvn.kde.org/?view=rev&revision=846626
24
vendor: http://security.gentoo.org/glsa/glsa-200809-08.xml
25
vendor: http://www.mandriva.com/security/advisories?name=MDVSA-2008:172
26
upstream_amarok: released (1.4.10)
27
dapper_amarok: not-affected
28
feisty_amarok: needed (reached end-of-life)
29
gutsy_amarok: released (2:1.4.7-0ubuntu3.1)
30
hardy_amarok: released (2:1.4.9.1-0ubuntu3.1)
31
devel_amarok: released (2:1.4.10-0ubuntu1)