Description of problem: As per report from Gentoo (see URL) Anaconda uses a temporary file with predictable name, which can be exploited locally by conducting a symlink attack to remove arbitrary file from victim's home directory.
s/Anaconda/Audacity/
CVE identifier for this issue was requested.
Gentoo has released a security advisory to address this flaw: http://www.gentoo.org/security/en/glsa/glsa-200803-03.xml Here is the patch used by Gentoo: http://sources.gentoo.org/viewcvs.py/gentoo-x86/media-sound/audacity/files/CVE-2007-6061.patch
Upstream discussion related to Gentoo patch: http://sourceforge.net/mailarchive/forum.php?thread_name=733f2c730803040303o679d28eeg224689218544d232%40mail.gmail.com&forum_name=audacity-devel
Any idea, as to when this will be fixed in fedora?
audacity-1.3.2-21.fc8 has been pushed to the Fedora 8 stable repository. If problems still persist, please make note of it in this bug report.
audacity-1.3.2-21.fc7 has been pushed to the Fedora 7 stable repository. If problems still persist, please make note of it in this bug report.
Auto-closing this failed due to a bug in bodhi.
opening, shouldn't be autoclosed as this is the bug we use for tracing audacity across all red hat products and services, not just Fedora.
This issue was addressed in: Fedora: https://admin.fedoraproject.org/updates/F8/FEDORA-2008-3456
Reporter changed to security-response-team by request of Jay Turner.