Virtual Security Research, LLC. http://www.vsecurity.com/ Security Advisory -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Advisory Name: Time-of-Check-Time-of-Use File Race in AFFLIB Release Date: 2007-04-27 Application: AFFLIB(TM) Versions: 2.2.0-2.2.8 and likely earlier versions. Severity: N/A Author: Timothy D. Morgan Vendor Status: Vendor Notified CVE Candidate: CVE-2007-2056 Reference: http://www.vsecurity.com/bulletins/advisories/2007/afflib-toctou.txt -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- This advisory has been recalled. The portion of vulnerable code is not called in any current version of AFFLIB and is therefore not exploitable. -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- This advisory is distributed for educational purposes only, and comes with absolutely NO WARRANTY; not even the implied warranty of merchantability or fitness for a particular purpose. Virtual Security Research, LLC nor the author accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information. -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Vulnerability Disclosure Policy: http://www.vsecurity.com/disclosurepolicy.html -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- AFF(TM) and AFFLIB(TM) are trademarks of Simson Garfinkel and Basis Technology Corp. Included source code excerpts are copyright Simson Garfinkel and Basis Technology Corp. This advisory is copyright (C) 2007 Virtual Security Research, LLC. All rights reserved.