Debian Security Advisory
DSA-1891-1 changetrack -- shell command execution
- Date Reported:
- 22 Sep 2009
- Affected Packages:
- changetrack
- Vulnerable:
- Yes
- Security database references:
- In the Debian bugtracking system: Bug 546791.
In Mitre's CVE dictionary: CVE-2009-3233. - More information:
-
Marek Grzybowski discovered that changetrack, a program to monitor changes to (configuration) files, is prone to shell command injection via metacharacters in filenames. The behaviour of the program has been adjusted to reject all filenames with metacharacters.
For the oldstable distribution (etch), this problem has been fixed in version 4.3-3+etch1.
For the stable distribution (lenny), this problem has been fixed in version 4.3-3+lenny1.
For the testing distribution (squeeze), this problem will be fixed soon.
For the unstable distribution (sid), this problem has been fixed in version 4.5-2.
We recommend that you upgrade your changetrack packages.
- Fixed in:
-
Debian GNU/Linux 4.0 (etch)
- Source:
- http://security.debian.org/pool/updates/main/c/changetrack/changetrack_4.3-3+etch1.diff.gz
- http://security.debian.org/pool/updates/main/c/changetrack/changetrack_4.3-3+etch1.dsc
- http://security.debian.org/pool/updates/main/c/changetrack/changetrack_4.3-3+etch1.dsc
- Architecture-independent component:
- http://security.debian.org/pool/updates/main/c/changetrack/changetrack_4.3-3+etch1_all.deb
Debian GNU/Linux 5.0 (lenny)
- Source:
- http://security.debian.org/pool/updates/main/c/changetrack/changetrack_4.3.orig.tar.gz
- http://security.debian.org/pool/updates/main/c/changetrack/changetrack_4.3-3+lenny1.diff.gz
- http://security.debian.org/pool/updates/main/c/changetrack/changetrack_4.3-3+lenny1.dsc
- http://security.debian.org/pool/updates/main/c/changetrack/changetrack_4.3-3+lenny1.diff.gz
- Architecture-independent component:
- http://security.debian.org/pool/updates/main/c/changetrack/changetrack_4.3-3+lenny1_all.deb
MD5 checksums of the listed files are available in the original advisory.