PT-2009-4417 · Xfig · Xfig

Nico Golde

Published

2009-06-06

Updated

2024-06-15

CVE-2009-1962

CVSS v2.0

4.4

Medium

Vector

AV:L/AC:M/Au:N/C:P/I:P/A:P

Name of the Vulnerable Software and Affected Versions: Xfig version 3.2.5

Description: The issue allows local users to read and write arbitrary files via a symlink attack on certain temporary files. These files include xfig-eps[PID], xfig-pic[PID].pix, xfig-pic[PID].err, xfig-pcx[PID].pix, xfig-xfigrc[PID], xfig[PID], xfig-print[PID], xfig-export[PID].err, xfig-batch[PID], xfig-exp[PID], and xfig-spell[PID], where [PID] is a process ID.

Recommendations: As a temporary workaround, consider restricting access to these temporary files until a patch is available. Avoid using the vulnerable temporary files in Xfig version 3.2.5 to minimize the risk of exploitation.

Fix

Link Following

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-59

Related Identifiers

CVE-2009-1962

OPENSUSE-SU-2024:10483-1

Affected Products

Xfig

PT-2009-4417 · Xfig · Xfig

CVE-2009-1962

Weakness Enumeration

Related Identifiers

Affected Products

References · 15