CVE-2014-1638

NameCVE-2014-1638
Description(1) debian/postrm and (2) debian/localepurge.config in localepurge before 0.7.3.2 use tempfile to create a safe temporary file but appends a suffix to the original filename and writes to this new filename, which allows local users to overwrite arbitrary files via a symlink attack on the new filename.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs736359

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
localepurge (PTS)buster0.7.3.5fixed
sid, trixie, bookworm, bullseye0.7.3.10fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
localepurgesourcesqueeze0.6.2+nmu1+squeeze1
localepurgesourcewheezy0.6.3+deb7u1
localepurgesource(unstable)0.7.3.2736359
Search for package or bug name: Reporting problems