oss-sec mailing list archives
CVE request: /tmp file vulnerability in ace
From: Helmut Grohne <helmut () subdivi de>
Date: Sun, 7 Sep 2014 09:47:39 +0200
Please assign a CVE number for the ace build process using predictable filenames in a world-writeable directory (DAC violation). Upstream: http://www.dre.vanderbilt.edu/~schmidt/ACE.html In bin/generate_doxygen.pl line 177 it says:
my $output = "/tmp/".$i.".".$$.".doxygen";
This path is later opened for writing. For context, see: http://sources.debian.net/src/ace/6.2.7%2Bdfsg-1/bin/generate_doxygen.pl/#L177 Initial disclosure: http://bugs.debian.org/760709 (end of CVE request) A quick "grep -r /tmp $ace_source" indicates more occasions that may be worth researching. Most of the results reside within examples or documentation though. An interesting find is bin/g++-dep line 63:
TMP=/tmp/g++dep$$
This path is also used for writing. The context can be found at: http://sources.debian.net/src/ace/6.2.7%2Bdfsg-1/bin/g%2B%2Bdep/#L63 I am not sure whether instance is actually executed during the build, but the Debian package installs it to the development package available for user consumption. Thanks Helmut
Current thread:
- CVE request: /tmp file vulnerability in ace Helmut Grohne (Sep 07)
- Re: CVE request: /tmp file vulnerability in ace cve-assign (Sep 11)
- Re: CVE request: /tmp file vulnerability in ace Helmut Grohne (Sep 12)
- Re: CVE request: /tmp file vulnerability in ace cve-assign (Sep 12)
- Re: CVE request: /tmp file vulnerability in ace Helmut Grohne (Sep 12)
- Re: CVE request: /tmp file vulnerability in ace cve-assign (Sep 11)