NameCVE-2008-5007 in lazarus 0.9.24 allows local users to overwrite or delete arbitrary files via a symlink attack on a (1) /tmp/lazarus.tgz temporary file or a (2) /tmp/lazarus temporary directory.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
NVD severitymedium
Debian Bugs496377

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
lazarus (PTS)jessie1.2.4+dfsg2-1fixed
bullseye, sid2.0.6+dfsg-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs


vulnerable script only called when updating the source
thus neither actively used nor invoked automatically

Search for package or bug name: Reporting problems