Date: Sun, 7 Sep 2014 09:47:39 +0200 From: Helmut Grohne <helmut@...divi.de> To: oss-security@...ts.openwall.com Subject: CVE request: /tmp file vulnerability in ace Please assign a CVE number for the ace build process using predictable filenames in a world-writeable directory (DAC violation). Upstream: http://www.dre.vanderbilt.edu/~schmidt/ACE.html In bin/generate_doxygen.pl line 177 it says: > my $output = "/tmp/".$i.".".$$.".doxygen"; This path is later opened for writing. For context, see: http://sources.debian.net/src/ace/6.2.7%2Bdfsg-1/bin/generate_doxygen.pl/#L177 Initial disclosure: http://bugs.debian.org/760709 (end of CVE request) A quick "grep -r /tmp $ace_source" indicates more occasions that may be worth researching. Most of the results reside within examples or documentation though. An interesting find is bin/g++-dep line 63: > TMP=/tmp/g++dep$$ This path is also used for writing. The context can be found at: http://sources.debian.net/src/ace/6.2.7%2Bdfsg-1/bin/g%2B%2Bdep/#L63 I am not sure whether instance is actually executed during the build, but the Debian package installs it to the development package available for user consumption. Thanks Helmut
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.