CVE-2007-6061

Publication date 20 November 2007

Last updated 24 July 2024

Audacity 1.3.2 creates a temporary directory with a predictable name without checking for previous existence of that directory, which allows local users to cause a denial of service (recording deadlock) by creating the directory before Audacity is run. NOTE: this issue can be leveraged to delete arbitrary files or directories via a symlink attack.

Read the notes from the security team

Status

Show unmaintained releases

Package	Ubuntu Release	Status
audacity	7.10 gutsy	Fixed 1.3.3-1ubuntu0.1
	7.04 feisty	Fixed 1.2.6-0ubuntu1.1
	6.10 edgy	Ignored end of life, was needed
	6.06 LTS dapper	Fixed 1.2.4b-2ubuntu2.1

How can I get the fixes?
What do statuses mean?

Notes

fujitsu

The denial of service requires changing the ownership of the directory after audacity is already running.

References

MITRE
NVD
Launchpad
Debian

Other references

http://sourceforge.net/mailarchive/forum.php?thread_name=Pine.LNX.4.63.0711162007530.24246%40t-4009-01.studat.chalmers.se&forum_name=audacity-users
http://sourceforge.net/mailarchive/forum.php?thread_name=d08.220e2918.3472d3de%40aol.com&forum_name=audacity-users
https://www.cve.org/CVERecord?id=CVE-2007-6061