[CVE-2007-6061] Denial of service and deletion of an arbitrary directory tree via symlink attack

There's no upstream fix yet.

This bug was fixed in the package audacity - 1.3.4-1.1ubuntu1

---------------
audacity (1.3.4-1.1ubuntu1) hardy; urgency=low

  [ Mario Bonino ]
  * Merge from Debian unstable (LP: #179861) remaining changes:
    - debian/patches/desktop_file.patch:
      - removed deprecated Encoding field
      - removed deprecated Application value from Categories
      - updated Name fields
      - updated Icon field
    - debian/control:
      - updated Maintainer field

  [ Emmet Hikory ]
  * Updated merge debdiff to new Debian version for LP: #173153

audacity (1.3.4-1.1) unstable; urgency=high

  * Non-maintainer upload by security team.
  * Fix insecure directory creation in /tmp by moving the directory
    to the users home directory (CVE-2007-6061; Closes: #453283).
  * Adding NEWS file to advise the user to change the tmp path
    in his config file so there is a notification for users who
    are already vulnerable.

audacity (1.3.4-1) unstable; urgency=low

  [ Joost Yervante Damad ]
  * Survived the library transition (Closes: #426636)
  * Disable portmixer as recommended (Closes: #454241)
  * only enable jack on i386 and powerpc (See also #406754)

  [ Free Ekanayaka ]
  * New upstream release
  * Force removal of lib-src/libportmixer.a when cleaning (Closes #442497)
  * Fixed watch file (Closes: #449637)
  * Dropped no more needed desktop, kfreebsd and see patches

 -- Emmet Hikory <email address hidden> Tue, 22 Jan 2008 21:22:17 +0900

+audacity (1.3.3-1ubuntu0.1) gutsy-security; urgency=low
+
+ * SECURITY UPDATE:
+ - Fix insecure directory creation in /tmp by moving the directory
+ to the users home directory (CVE-2007-6061; LP: #173153).
+ * References
+ - http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=453283
+
+ -- Emanuele Gentili <email address hidden> Tue, 22 Jan 2008 21:07:26 +0100

My mentor has advised me to change version.
Patch it's ok, audacity builted and work fine.

last patch it'snt correct, I'm working with new fix.

+audacity (1.3.3-1ubuntu0.1) gutsy-security; urgency=low
+
+ * SECURITY UPDATE:
+ - Fix insecure directory creation in /tmp by moving the directory
+ to the users home directory (CVE-2007-6061; LP: #173153).
+
+ * other update
+ - debian/control Maintainer change
+
+ -- Emanuele Gentili <email address hidden> Wed, 23 Jan 2008 14:40:23 +0100

Patch for hardy beacuse fixed with debian wrong patch. Now corrected and ready for upload.

debdiff for hardy corrected and ready for upload.

 the leading / is not needed in /%s/ %s will be the home directory...i checked wxwidgets code and they are catching the home dir from $HOME or from /etc/passwd...so "%s/.audacity..." is correct, the "/%s/" will shown as //home/user.
hardy patch wrong.

http://bugs.gentoo.org/show_bug.cgi?id=199751#c12

+audacity (1.3.3-1ubuntu0.1) gutsy-security; urgency=low
+
+ * SECURITY UPDATE:
+ - Fix insecure directory creation in /tmp by moving the directory
+ to the users home directory (CVE-2007-6061; LP: #173153).
+
+ * other update
+ - debian/control Maintainer change
+
+ -- Emanuele Gentili <email address hidden> Wed, 23 Jan 2008 14:40:23 +0100

corrected patch for gutsy.

 the leading / is not needed in /%s/ %s will be the home directory...i checked wxwidgets code and they are catching the home dir from $HOME or from /etc/passwd...so "%s/.audacity..." is correct, the "/%s/" will shown as //home/user.
hardy patch wrong.

http://bugs.gentoo.org/show_bug.cgi?id=199751#c12

Ultimate diff for fix hidden directory.
Ready for gutsy

http://thc.emanuele-gentili.com/packages/security_fix/gutsy/audacity/audacity_1.3.3-1ubuntu0.1_i386.deb

deb pkg patched.

Ultimate diff for fix hidden directory.
Ready for feisty.

deb: http://thc.emanuele-gentili.com/packages/security_fix/feisty/audacity/audacity_1.2.6-0ubuntu1.1_i386.deb
debdiff: attached.

Ultimate diff for dapper ready.

A couple notes on these debdiffs:
 * changes look good. The / vs // symantics don't really require a hardy bump. Both are "safe", and solve the security issue.
 * maintainer fields for security updates don't need updating in dapper and edgy (the build systems aren't verified to have worked with it). So only Feisty and newer should have the maintainer field adjusted

I will get these spun up! Thanks for the work. :)

Actually, I should have said the _fix_ looks good, but the debdiffs need attention:

 * "-security" pocket is missing for dapper, feisty, gutsy
 * patch system is cdbs (it should not be patched inline) Use the "what-patch" tool to help figure out system.

I've adjusted the dapper/feisty pockets, and added the inline patch to the patches directory. I cleaned up the changelogs to follow the examples in https://wiki.ubuntu.com/SecurityUpdateProcedures

The fixes are building now and should be published shortly. Thanks!

Ok, Thanks Kees for the hard work :P

+audacity (1.2.6-0ubuntu1.1~edgy1) edgy-security; urgency=low
+
+ * SECURITY UPDATE: unsafe directory creation and usage.
+ - moving directory to the user's home directory
+ - (CVE-2007-6061; LP: #173153).
+
+ -- Emanuele Gentili <email address hidden> Sun, 10 Feb 2008 09:51:05 +0100

Not that I'm an expert on these things, but I'd think that security updates to backports belong in the backport repositories, rather than in the security repositories. Otherwise users who did not choose to enable backports will have a forced upgrade, which may not be to their desire.