Debian Security Advisory DSA 202-2 (im)

The remote host is missing an update to im announced via advisory DSA 202-2.
Despite popular belief, the IM packages are not architecture independent, since the number of the fsync syscal is detected on build time and this number differs on Linux architectures and other operating systems. As a result of this the optional feature ``NoSync=no'' does only work on the architecture the package was built on. As usual, we are including the text of the original advisory DSA 202-1: Tatsuya Kinoshita discovered that IM, which contains interface commands and Perl libraries for E-mail and NetNews, creates temporary files insecurely. 1. The impwagent program creates a temporary directory in an insecure manner in /tmp using predictable directory names without checking the return code of mkdir, so it's possible to seize a permission of the temporary directory by local access as another user. 2. The immknmz program creates a temporary file in an insecure manner in /tmp using a predictable filename, so an attacker with local access can easily create and overwrite files as another user. This problem has been fixed in version 141-18.2 for the current stable distribution (woody), in version 133-2.3 of the old stable distribution (potato). A correection is expected for the unstable distribution (sid) soon. We recommend that you upgrade your IM package.