{"id":"UBUNTU-CVE-2009-1962","details":"Xfig, possibly 3.2.5, allows local users to read and write arbitrary files via a symlink attack on the (1) xfig-eps[PID], (2) xfig-pic[PID].pix, (3) xfig-pic[PID].err, (4) xfig-pcx[PID].pix, (5) xfig-xfigrc[PID], (6) xfig[PID], (7) xfig-print[PID], (8) xfig-export[PID].err, (9) xfig-batch[PID], (10) xfig-exp[PID], or (11) xfig-spell.[PID] temporary files, where [PID] is a process ID.","modified":"2025-07-16T07:30:38.093138Z","published":"2009-06-08T01:00:00Z","withdrawn":"2025-07-18T16:42:39Z","upstream":["CVE-2009-1962"],"references":[{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2009-1962"},{"type":"REPORT","url":"http://www.openwall.com/lists/oss-security/2009/04/01/6"},{"type":"REPORT","url":"https://www.cve.org/CVERecord?id=CVE-2009-1962"}],"affected":[{"package":{"name":"xfig","ecosystem":"Ubuntu:18.04:LTS","purl":"pkg:deb/ubuntu/xfig@1:3.2.6a-2?arch=source&distro=bionic"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"1:3.2.6a-2"}]}],"versions":["1:3.2.6a-1"],"ecosystem_specific":{"binaries":[{"binary_version":"1:3.2.6a-2","binary_name":"xfig"},{"binary_version":"1:3.2.6a-2","binary_name":"xfig-dbgsym"},{"binary_version":"1:3.2.6a-2","binary_name":"xfig-doc"},{"binary_version":"1:3.2.6a-2","binary_name":"xfig-libs"}],"availability":"No subscription required"},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2009/UBUNTU-CVE-2009-1962.json"}},{"package":{"name":"xfig","ecosystem":"Ubuntu:20.04:LTS","purl":"pkg:deb/ubuntu/xfig@1:3.2.7b-2?arch=source&distro=focal"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"1:3.2.7b-2"}]}],"versions":["1:3.2.7a-3","1:3.2.7b-1"],"ecosystem_specific":{"binaries":[{"binary_version":"1:3.2.7b-2","binary_name":"xfig"},{"binary_version":"1:3.2.7b-2","binary_name":"xfig-dbgsym"},{"binary_version":"1:3.2.7b-2","binary_name":"xfig-doc"},{"binary_version":"1:3.2.7b-2","binary_name":"xfig-libs"}],"availability":"No subscription required"},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2009/UBUNTU-CVE-2009-1962.json"}},{"package":{"name":"xfig","ecosystem":"Ubuntu:22.04:LTS","purl":"pkg:deb/ubuntu/xfig@1:3.2.8-3?arch=source&distro=jammy"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"1:3.2.8-3"}]}],"ecosystem_specific":{"binaries":[{"binary_version":"1:3.2.8-3","binary_name":"xfig"},{"binary_version":"1:3.2.8-3","binary_name":"xfig-dbgsym"},{"binary_version":"1:3.2.8-3","binary_name":"xfig-doc"},{"binary_version":"1:3.2.8-3","binary_name":"xfig-libs"}],"availability":"No subscription required"},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2009/UBUNTU-CVE-2009-1962.json"}}],"schema_version":"1.7.3","severity":[{"type":"Ubuntu","score":"low"}]}