Software maker Corel today confirmed it is battling a security hole in Corel Linux.
"There is, yes, a security hole," said Judith O'Brien, a spokeswoman for Corel Linux.
The security hole applies only to Corel Update, a graphical user interface (GUI) that Corel has put on top of the Debian distribution of Corel Linux, according to O'Brien. The Debian distribution -- or version -- of Corel Linux is supported by a core of about 500 volunteer developers and is distinct from others for its emphasis on online updates. If a customer is using a version of Corel Linux that is strictly a Debian distribution -- without the Corel Update GUI -- the problem will not affect them, she said.
The hole allows users, who have privileges to remotely log on to a server, to replace the scripts running in Corel Update with scripts they created themselves, O'Brien said. But users must have log-in privileges in order to take advantage of the bug, she said.
"It's not something that anybody can do," O'Brien said. "If you don't have an account, you can't do anything."
Corel was informed of the problem last week and will post a patch later today at http://linux.corel.com/, O'Brien said. Future versions of Corel Update will permit authorised users to substitute scripts, but the product will ship with that ability turned off as the default, she said.