> Package: ncompress > Version: 4.2.4-15 > Severity: grave > Tags: security > > Hi! > > There is a recent report about insecure temporary files in ncompress, > similar to the recent advisories about gzip: > > http://www.zataz.net/adviso/ncompress-09052005.txt > > Can you please check this? There is no CAN number yet. If this is a > real issue, you can ask [EMAIL PROTECTED] to get one.
I have to admit that I don't completely understand the report at the link above. It looks like the symlink attack only exists when using zdiff and zcmp? The Debian package does not install the ncompress versions of these utilities, and the installed executable (as far as I can tell) does not use them. This would appear to imply that the Debian package is not vulnerable. However, I don't know how I would confirm this. Thoughts? I'll write the Security Team and see what they think, as well. Thanks for submitting the bug. KEN -- Kenneth J. Pronovici <[EMAIL PROTECTED]>
pgpXSC4qcAZff.pgp
Description: PGP signature
