Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [day] [month] [year] [list]
Date: Sun, 10 May 2015 00:22:30 +0200
From: Jakub Wilk <jwilk@...lk.net>
To: oss-security@...ts.openwall.com
Subject: CVE requests: didjvu, pdf2djvu: insecure use of /tmp

didjvu and pdf2djvu are DjVu encoders that both use c44 (a command-line 
IW44 encoder, part of DjVuLibre) under the hood. More precisely, this is 
what they do:

* create a unique temporary file directly in /tmp (or in $TMPDIR)
* pass name of this file to c44 as the output file name

Unfortunately, it turns out that c44 deletes the output file, and then 
creates a new one under the same name (without O_EXCL). This opens a 
race window, during which malicious user could their own file under this 
name.

The bugs were fixed in didjvu 0.4 and pdf2djvu 0.7.21.
Please assign CVEs to these vulnerabilities.

References:
https://bitbucket.org/jwilk/didjvu/issue/8
https://bitbucket.org/jwilk/pdf2djvu/issue/103
http://sourceforge.net/p/djvu/djvulibre-git/ci/release.3.5.27.1/tree/tools/c44.cpp#l769

-- 
Jakub Wilk

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ