Debian Bug Report: Vulnerability with Symlinks (#496358) Package: crossfire-maps Summary: The report details a security vulnerability involving the use of symlinks in several Debian packages, which could potentially be exploited by attackers. Key Information Date Reported: Sun, 24 Aug 2008 18:06:07 UTC Reported by: Dmitry E. Oboukhov Severity: Initially set to "grave," later adjusted to "important" Fixed Version: crossfire-maps 1.11.0-2 Maintainer: Kari Pahula Vulnerability Details The vulnerability arises from scripts within certain Debian packages that use temporary files in directories without proper safeguards. This allows any user to create symlinks with the same names as the temp files. An attacker could exploit this to: Destroy or rewrite system or user files. Cause denial of service. Permanently create symlinks leading to data destruction. Packages Affected A comprehensive list of affected packages is provided, including: - crossfire-maps - r-base-core-ra - rcpp - mafft - openoffice.org-common - ... Each package and its problematic scripts are listed. Resolution The maintainer updated the package to version 1.11.0-2, addressing the vulnerability by removing the and subdirectories and the script, which mitigated the risk.