Fluid Attacks Database

Description

syncevo/installcheck-local.sh in syncevolution before 1.3.99.7 uses mktemp to create a safe temporary file but appends a suffix to the original filename and writes to this new filename, which allows local users to overwrite arbitrary files via a symlink attack on the new filename.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
debian 12	syncevolution	>=0 <1.3.99.7-1	1.3.99.7-1
debian 14	syncevolution	=0.9+ds1-2 \|\| =0.9.1+ds1-1 \|\| =1.0+ds1~a1-1 \|\| =1.0+ds1~a1-2 \|\| =1.0+ds1~beta2a-1 \|\| =1.0+ds1~beta2a-2 \|\| =1.1+ds1-1 \|\| =1.1+ds1-2 \|\| =1.1+ds1-3 \|\| =1.1+ds1-4 \|\| =1.1+ds1-5 \|\| =1.1.99.3+ds1-1 \|\| =1.1.99.5a-1 \|\| =1.1.99.5a-2 \|\| =1.2.1-1 \|\| =1.2.2-1 \|\| =1.2.99.1-1 \|\| =1.2.99.1-1.1 \|\| =1.3.2-1 \|\| >=0 <1.3.99.7-1	1.3.99.7-1

Aliases

1. CVE-2014-16392. NVD-2014-16393. OSV-DEBIAN-2014-16394. OSV-2014-16395. SECURITY-TRACKER-CVE-2014-1639

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.