Guillem Jover

**Name of the Vulnerable Software and Affected Versions** rpcbind version 0.2.0 **Description** The issue is related to the improper validation of temporary files /tmp/portmap.xdr and /tmp/rpcbind.xdr by rpcbind. An attacker can create these files before the daemon is started, potentially leading to exploitation. **Recommendations** For rpcbind version 0.2.0, consider restricting access to the /tmp directory to prevent attackers from creating malicious files until a patch is available. As a temporary workaround, monitor the /tmp directory for suspicious files, such as portmap.xdr and rpcbind.xdr, and remove them before starting the rpcbind daemon.

**Name of the Vulnerable Software and Affected Versions** rpcbind version 0.2.0 **Description** The issue allows local users to write to arbitrary files or gain privileges via a symlink attack on (1) /tmp/portmap.xdr and (2) /tmp/rpcbind.xdr. **Recommendations** For rpcbind version 0.2.0, consider restricting access to the /tmp directory to prevent symlink attacks on /tmp/portmap.xdr and /tmp/rpcbind.xdr until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Open-source ARJ archiver version 3.10.22 **Description** A buffer overflow issue in the Open-source ARJ archiver allows remote attackers to cause a denial of service, potentially leading to a crash, or possibly execute arbitrary code. This can be achieved by sending a crafted ARJ archive. **Recommendations** For Open-source ARJ archiver version 3.10.22, update to a newer version that contains a fix for this issue.

**Name of the Vulnerable Software and Affected Versions** Apt versions prior to 1.0.9.2 **Description** The issue allows local users to write to arbitrary files via a symlink attack on the changelog file. This is related to the changelog command. **Recommendations** For versions prior to 1.0.9.2, update to version 1.0.9.2 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** dpkg-dev version 1.3.0 **Description** A directory traversal issue in dpkg-source allows remote attackers to modify files outside of the intended directories. This is achieved by crafting a source package that lacks a --- header line. **Recommendations** For dpkg-dev version 1.3.0, at the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** dpkg-dev version 1.3.0 **Description** The issue allows remote attackers to modify files outside of the intended directories via a source package with a crafted Index: pseudo-header. This can be achieved in conjunction with either (1) missing --- and +++ header lines or (2) a +++ header line with a blank pathname. **Recommendations** For dpkg-dev version 1.3.0, update to a version that fixes the directory traversal vulnerabilities to prevent remote attackers from modifying files outside the intended directories.