Date: Sun, 10 May 2015 00:22:30 +0200 From: Jakub Wilk <jwilk@...lk.net> To: oss-security@...ts.openwall.com Subject: CVE requests: didjvu, pdf2djvu: insecure use of /tmp didjvu and pdf2djvu are DjVu encoders that both use c44 (a command-line IW44 encoder, part of DjVuLibre) under the hood. More precisely, this is what they do: * create a unique temporary file directly in /tmp (or in $TMPDIR) * pass name of this file to c44 as the output file name Unfortunately, it turns out that c44 deletes the output file, and then creates a new one under the same name (without O_EXCL). This opens a race window, during which malicious user could their own file under this name. The bugs were fixed in didjvu 0.4 and pdf2djvu 0.7.21. Please assign CVEs to these vulnerabilities. References: https://bitbucket.org/jwilk/didjvu/issue/8 https://bitbucket.org/jwilk/pdf2djvu/issue/103 http://sourceforge.net/p/djvu/djvulibre-git/ci/release.188.8.131.52/tree/tools/c44.cpp#l769 -- Jakub Wilk
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.