Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Mon, 25 Aug 2008 12:45:57 +0200
From: Jan Lieskovsky <jlieskov@...hat.com>
To: coley@...re.org
Cc: oss-security@...ts.openwall.com
Subject: CVE Request (gpicview)

Hello Steve,

  could you please allocate a CVE id for the following
three gpicview issues:

1,

http://sourceforge.net/tracker/index.php?func=detail&aid=2019481&group_id=180858&atid=894869

Possible symlink attack via the temporary created "/tmp/rot.jpg" 
file used for image rotation.

2,

http://sourceforge.net/tracker/index.php?func=detail&aid=2019485&group_id=180858&atid=894869

Related part of the code (the check for previous same filename file
existence is done only in the 'main_win_save' function):

#ifdef HAVE_LIBJPEG
    if(strcmp(type,"jpeg")==0){
        if(rotate_and_save_jpeg_lossless(file_name,mw->rotation_angle)!=0)
            main_win_show_error(mw, "Save failed! Check permissions.");
    } else
#endif
        main_win_save( mw, file_name, type, pref.ask_before_save ); 
        
By presence of the LIBJPEG library we could without confirmation rewrite
the by the symlink targeted JPEG filesystem file.

3, 

http://sourceforge.net/tracker/index.php?func=detail&aid=2019492&group_id=180858&atid=894869

Related part of the code:

void on_rotate_clockwise( GtkWidget* btn, MainWin* mw )
{
    rotate_image( mw, GDK_PIXBUF_ROTATE_CLOCKWISE );
    mw->rotation_angle += 90;
    if(pref.auto_save_rotated){
        pref.ask_before_save = FALSE;
        on_save(btn,mw);
        pref.ask_before_save = TRUE;
    }
}

Consequences: Bad enough, just think about them in context of the two
previously mentioned issues.

Public mention of these issues:

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=495968


Thank you in advance!

Kind regards
Jan iankko Lieskovsky
RH Security Resposne Team

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ