Bugtraq mailing list archives

Re: Adobe Acrobat creates world writable ~/AdobeFnt.lst files

From: Darren Moffat <Darren.Moffat () eng sun com>
Date: Wed, 22 Aug 2001 10:35:07 -0700 (PDT)

Adobe Acrobat creates world writable ~/AdobeFnt.lst files

This problem is present in at least the Linux version:
ftp://ftp.adobe.com/pub/adobe/acrobatreader/unix/4.x/linux-ar-405.tar.gz

Even with umask as restrictive as 077, the Adobe binary explicitly
creates and changes the AdobeFnt.lst file in the HOME directory to be
world (and group) writable.


What anoys me almost as much as ignoring the umask is that this file
is placed directly into $HOME and isn't a "." file.

Vendor notified: on or before 2001-03-02


I notified Adobe of this on October 27th 1999 and never got any reply,
see attached.


Another possible workaround would be to create a shared object that
replaced the open/chmod calls that change the permissions on the file,
this could then be LD_PRELOAD'd so that acroread doesn't do the wrong thing.

Using truss on Solaris we can easily see that acroread actually makes
an explicit call to set the permissions to 0666.

251032: open("/home/darrenm/AdobeFnt.lst", O_WRONLY|O_CREAT|O_TRUNC, 01) = 6
251032: fchmod(6, 0666)         

--
Darren J Moffat




------------- Begin Included Message -------------

From darrenm Wed Oct 27 10:08:37 1999

Date: Wed, 27 Oct 1999 10:08:37 +0100 (BST)
From: Darren Moffat - Solaris Sustaining Engineering <darrenm () otis uk>
Subject: Acrobat Reader 4.0 for Solaris
To: security () adobe com
X-Mailer: dtmail 1.3.0 @(#)CDE Version 1.4_33 SunOS 5.8 sun4u sparc
Mime-Version: 1.0
Content-Type: TEXT/plain; charset=us-ascii
Content-MD5: vU9ym6j5UvaH9PQ8ueMX+A==
Content-Length: 654
Status:  O
X-Status: $$$$
X-UID: 0000000176

When starting the Acrobat Reader 4.0 for the first time a new file
called AdobeFnt.lst is created in the users home directory.  This file
is created with world writeable permissions (666).

Given that this file contains font mappings, this is a security hole as
it would allow someone else to replace your font definitions thus making
the documents appear different to what the author intended.

While you are fixing this security hole, may I suggest that you put the
file in a less obtrusive place.  Dumping non "." files in a users home
directory is considered very bad form in UNIX.

Thanks

--
Darren J Moffat
Solaris Software Sustaining Engineering

------------- End Included Message -------------

Current thread:

Adobe Acrobat creates world writable ~/AdobeFnt.lst files Michael Paoli (Aug 22)
- <Possible follow-ups>
- Re: Adobe Acrobat creates world writable ~/AdobeFnt.lst files Darren Moffat (Aug 22)
- Re: Adobe Acrobat creates world writable ~/AdobeFnt.lst files wim (Aug 22)
- Re: Adobe Acrobat creates world writable ~/AdobeFnt.lst files Darren Moffat (Aug 22)
  - Re: Adobe Acrobat creates world writable ~/AdobeFnt.lst files Scott Howard (Aug 22)
- Re: Adobe Acrobat creates world writable ~/AdobeFnt.lst files Darren Moffat (Aug 23)