Bugtraq mailing list archives
Re: Adobe Acrobat creates world writable ~/AdobeFnt.lst files
From: Darren Moffat <Darren.Moffat () eng sun com>
Date: Thu, 23 Aug 2001 13:07:01 -0700 (PDT)
The AdobeFnt.lst file is actually comes from libCoolType.so.1 so there is potential that other Adobe software that uses libCoolType.so.1 would also be vulnerable to this bug. I don't know if there is other stuff that uses libCoolType or not, but looking at the symbol table it appears that it is a font library of sorts [I also noticed that it was compiled with gcc ;-)]. It appears that the permissions are only set insecurely if the file didn't already exist, so a very simple wrapper around AdobeFnt.lst that created the file with good permissions first would probably suffice. Using truss on Solaris I discovered that the creation of the AdobeFnt.lst file in the users home directory is the only time that fchmod(fd, 0666) was called so my previous LD_PRELOAD fix that circumvents Adobe's poor security can be simplfied to just this (which I have compiled and tested): #include <limits.h> #include <sys/types.h> #include <dlfcn.h> #include <stdio.h> #include <stdlib.h> int fchmod(int fildes, mode_t mode) { static int (*fptr)(int fildes, mode_t mode) = 0; if (fptr == 0) { fptr = (int (*)(int, mode_t))dlsym(RTLD_NEXT, "fchmod"); if (fptr == NULL) { (void) printf("dlopen: %s\n", dlerror()); return NULL; } } mode = 0600; return ((fptr)(fildes, mode)); } -- Darren J Moffat
Current thread:
- Adobe Acrobat creates world writable ~/AdobeFnt.lst files Michael Paoli (Aug 22)
- <Possible follow-ups>
- Re: Adobe Acrobat creates world writable ~/AdobeFnt.lst files Darren Moffat (Aug 22)
- Re: Adobe Acrobat creates world writable ~/AdobeFnt.lst files wim (Aug 22)
- Re: Adobe Acrobat creates world writable ~/AdobeFnt.lst files Darren Moffat (Aug 22)
- Re: Adobe Acrobat creates world writable ~/AdobeFnt.lst files Scott Howard (Aug 22)
- Re: Adobe Acrobat creates world writable ~/AdobeFnt.lst files Darren Moffat (Aug 23)