oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

Acrobat Reader 8.1.2 tmp racy wrapper script

From: Marcus Meissner <meissner () suse de>
Date: Thu, 21 Feb 2008 17:26:12 +0100
Hi,

I wonder if we will ever get rid of tmpraces, but /usr/bin/acroread from
Acrobat Reader 8.1.2 has this gem that shows someone is forgetting the
past again:

        MkTemp()
        {
            if [ "${mktemp_count+set}" != "set" ]; then
                mktemp_count="0"
            fi

            mktemp_file="/tmp/acrobat.$$.${mktemp_count}"

            while /usr/bin/test -e "$mktemp_file"
            do
                mktemp_count="`expr $mktemp_count + 1`"
                mktemp_file="/tmp/adobe.$$.${mktemp_count}"
            done

            touch "$mktemp_file" && chmod 644 "$mktemp_file" && echo "$mktemp_file"
        }

called by:

        LOGFILE="`MkTemp /tmp/ssl_logXXXXXX`"
        CERTNAME="`MkTemp /tmp/certi.cerXXXXXX`"
        CERTDATA="`MkTemp /tmp/certDataXXXXXX`"


They seem to have replaced perfectly fine "mktemp" calls by their own unsecure
wrapper again. Just replace it back by "mktemp" and it will work.

No CVE allocated yet. I also have mailed PSIRT @ youknowhere.

Since this code is only run if you start acroread with special options, it is not
that problematic.

Ciao, Marcus
-- 
Working, but not speaking, for the following german company:
SUSE LINUX Products GmbH, GF: Markus Rex, HRB 16746 (AG Nuernberg)
Previous By Date Next
Previous By Thread Next

Current thread: