Skip Quicknav

• About Debian
• News
• Getting Debian
• Support
• Developers' Corner
• Site map
• Search

Debian Security Advisory

xfs -- symbolic link can be used to change file permissions

Date Reported:

31 Mar 1999

Affected Packages:

xfs

Vulnerable:

No

Security database references:

In the Bugtraq database (at SecurityFocus): BugTraq ID 359.
In Mitre's CVE dictionary: CVE-1999-0434.

More information:

Some implementations of xfs incorrectly set the permissions of /tmp/.font-unix even if that location is a symbolic link to another file. Debian 2.1 (slink) is not vulnerable to this problem.

This ISS Security - X-Force Alerts - xfree86-xfs-symlink-dos page provides a good summary of the xfs vulnerability.

The vulnerability can be used to change the permissions of the /etc/shadow file, as shown in Neohapsis Archives (BugTraq) 1999 "bugs in xfs". The InDenial BugTraq Archives - 1999 Mar "bugs in xfs" shows the thread.

This page is also available in the following languages:

Deutsch español français 日本語 (Nihongo) svenska

How to set the default document language