Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <20150509222230.GA1268@jwilk.net>
Date: Sun, 10 May 2015 00:22:30 +0200
From: Jakub Wilk <jwilk@...lk.net>
To: oss-security@...ts.openwall.com
Subject: CVE requests: didjvu, pdf2djvu: insecure use of /tmp

didjvu and pdf2djvu are DjVu encoders that both use c44 (a command-line 
IW44 encoder, part of DjVuLibre) under the hood. More precisely, this is 
what they do:

* create a unique temporary file directly in /tmp (or in $TMPDIR)
* pass name of this file to c44 as the output file name

Unfortunately, it turns out that c44 deletes the output file, and then 
creates a new one under the same name (without O_EXCL). This opens a 
race window, during which malicious user could their own file under this 
name.

The bugs were fixed in didjvu 0.4 and pdf2djvu 0.7.21.
Please assign CVEs to these vulnerabilities.

References:
https://bitbucket.org/jwilk/didjvu/issue/8
https://bitbucket.org/jwilk/pdf2djvu/issue/103
http://sourceforge.net/p/djvu/djvulibre-git/ci/release.3.5.27.1/tree/tools/c44.cpp#l769

-- 
Jakub Wilk

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.