On Sat, 7 Sep 2002, Julio Merino wrote:

> Our current textproc/scrollkeeper includes version 0.2 of this program.

I don't know about impact of updating.

But scrollkeeper has a security issue: "A local user could create a
symbolic link from a temporary file name to another critical file on the
system."

Some root exploits are available.

http://securitytracker.com/alerts/2002/Sep/1005168.html

http://lists.gentoo.org/pipermail/gentoo-security/2002-September/000160.html

http://online.securityfocus.com/archive/1/290090/2002-09-01/2002-09-07/0

http://cve.mitre.org/cgi-bin/cvename.cgi?name=3DCAN-2002-0662 (empty)

http://www.debian.org/security/2002/dsa-160

http://www.linuxsecurity.com/advisories/redhat_advisory-2323.html

I read that the tempfile vulnerability is for all versions of
ScrollKeeper between 0.3 and 0.3.11.

The sourceforge webpage doesn't seem to say anything about it though.

I found a patch at Debian's site (which patched other Debian-specific
stuff too.)

I don't know scrollkeeper.

   Jeremy C. Reed
   http://www.reedmedia.net/