Hugin: Insecure temporary file creation — GLSA 200712-01

A vulnerability has been discovered in Hugin, potentially allowing for a Denial of Service.

Affected packages

media-gfx/hugin on all architectures
Affected versions < 0.7_beta4-r1
Unaffected versions revision >= 0.6.1-r1
>= 0.7_beta4-r1

Background

Hugin is a GUI for creating and processing panoramic images.

Description

Suse Linux reported that Hugin creates the "hugin_debug_optim_results.txt" temporary file in an insecure manner.

Impact

A local attacker could exploit this vulnerability with a symlink attack, potentially overwriting an arbitrary file with the privileges of the user running the application.

Workaround

There is no known workaround at this time.

Resolution

All Hugin users should upgrade to the latest version:

 # emerge --sync
 # emerge --ask --oneshot --verbose ">=media-gfx/hugin-0.6.1-r1"

References

Release date
December 05, 2007

Latest revision
December 05, 2007: 01

Severity
normal

Exploitable
local

Bugzilla entries