COMMAND

    VariCAD

SYSTEMS AFFECTED

    VariCAD 7.0

PROBLEM

    'Narrow'  found  following.   VariCAD  is  a  CAD  for  mechanical
    engineering for both 2D and 3D.   VariCAD 7.0 is shipped with  Red
    Hat linux 6.0 Application CD.

    Several  binary  files  and  two  directorys  are world writeable.
    Anyone could  replace them  with a  trojan and  wait until someone
    executes the trojaned binary files.  The binary files:

        /usr/bin/xvcad/dxfin
        /usr/bin/xvcad/igesin
        /usr/bin/xvcad/var_rm

    The directorys:

        /usr/bin/xvcad/glib/*
        /usr/lib/xvcad/*

SOLUTION

    Change the premission of the files and directorys to 755.