FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

id3lib -- insecure temporary file creation

Affected packages
id3lib < 3.8.3_4

Details

VuXML ID 15ec9123-7061-11dc-b372-001921ab2fa4
Discovery 2007-08-20
Entry 2007-10-01
Modified 2007-10-01

Debian Bug report log reports:

When tagging file $foo, a temporary copy of the file is created, and for some reason, libid3 doesn't use mkstemp but just creates $foo.XXXXXX literally, without any checking.

This would silently truncate and overwrite an existing $foo.XXXXXX.

References

Bugtraq ID 25372
CVE Name CVE-2007-4460