Openwall Project   /home  Owl  JtR  Pro  crypt  pam_passwdqc  tcb  phpass  scanlogd  popa3d  msulogin  /  Linux  BIND  /  advisories  presentations  /  services  donations  /  wordlists  passwords  /  community  lists  wiki  CVSweb  mirrors  signatures
bringing security into open environments
 
Order Openwall GNU/*/Linux 2.0 on a CD with delivery worldwide
[<prev] [next>] [thread-next>] [month] [year] [list] 
Date: Thu, 21 Feb 2008 17:26:12 +0100
From: Marcus Meissner <meissner@...e.de>
To: oss-security@...ts.openwall.com, coley@...us.mitre.org
Subject: Acrobat Reader 8.1.2 tmp racy wrapper script

Hi,

I wonder if we will ever get rid of tmpraces, but /usr/bin/acroread from
Acrobat Reader 8.1.2 has this gem that shows someone is forgetting the
past again:

	MkTemp()
	{
	    if [ "${mktemp_count+set}" != "set" ]; then
		mktemp_count="0"
	    fi

	    mktemp_file="/tmp/acrobat.$$.${mktemp_count}"

	    while /usr/bin/test -e "$mktemp_file"
	    do
		mktemp_count="`expr $mktemp_count + 1`"
		mktemp_file="/tmp/adobe.$$.${mktemp_count}"
	    done

	    touch "$mktemp_file" && chmod 644 "$mktemp_file" && echo "$mktemp_file"
	}

called by:

	LOGFILE="`MkTemp /tmp/ssl_logXXXXXX`"
	CERTNAME="`MkTemp /tmp/certi.cerXXXXXX`"
	CERTDATA="`MkTemp /tmp/certDataXXXXXX`"


They seem to have replaced perfectly fine "mktemp" calls by their own unsecure
wrapper again. Just replace it back by "mktemp" and it will work.

No CVE allocated yet. I also have mailed PSIRT @ youknowhere.

Since this code is only run if you start acroread with special options, it is not
that problematic.

Ciao, Marcus
-- 
Working, but not speaking, for the following german company:
SUSE LINUX Products GmbH, GF: Markus Rex, HRB 16746 (AG Nuernberg)

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Hosted by DataForce ISP - Powered by Openwall GNU/*/Linux