Date: Sun, 10 May 2015 00:22:30 +0200 From: Jakub Wilk <jwilk@...lk.net> To: oss-security@...ts.openwall.com Subject: CVE requests: didjvu, pdf2djvu: insecure use of /tmp didjvu and pdf2djvu are DjVu encoders that both use c44 (a command-line IW44 encoder, part of DjVuLibre) under the hood. More precisely, this is what they do: * create a unique temporary file directly in /tmp (or in $TMPDIR) * pass name of this file to c44 as the output file name Unfortunately, it turns out that c44 deletes the output file, and then creates a new one under the same name (without O_EXCL). This opens a race window, during which malicious user could their own file under this name. The bugs were fixed in didjvu 0.4 and pdf2djvu 0.7.21. Please assign CVEs to these vulnerabilities. References: https://bitbucket.org/jwilk/didjvu/issue/8 https://bitbucket.org/jwilk/pdf2djvu/issue/103 http://sourceforge.net/p/djvu/djvulibre-git/ci/release.22.214.171.124/tree/tools/c44.cpp#l769 -- Jakub Wilk
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ