Updated SANE and XSane packages are available, which fix insecure handling of temporary files.
XSane is an X-based interface providing access to scanners, digital cameras, and other capture devices. When XSane creates temporary files, it does so with predictable filenames in a manner that would follow symbolic links. This could allow a local user to overwrite files written by the user running XSane. Additionally, the SANE library that XSane uses also has some similar problems. When some SANE backend drivers created temporary files they did so in a manner that would follow symbolic links. These packages prevent that kind of attack. The default configuration had one of these backends enabled. These packages update XSane to version 0.82 and turn off the vulnerable backend in the default configuration. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CAN-2001-0887 and CAN-2001-0890 to these issues.