oss-sec mailing list archives
CVE request, libdigidoc arbitrary file overwrite flaw
From: Vincent Danen <vdanen () redhat com>
Date: Wed, 28 Aug 2013 14:41:17 -0600
I did not see a CVE for this or a request for the same, so can one be assigned please? Just going to cut and paste from our bugzilla: It was reported [1],[2] that ID-software 3.7.2 (libdigidoc): "Fixed one critical bug in the DDOC parsing routines. By persuading a victim to open a specially-crafted DDOC file, a remote attacker could exploit this vulnerability to overwrite arbitrary files on the system with the privileges of the victim." The patch is in svn (not the repository from code.google.com/p/esteid, but from svn.eesti.ee) [3] (r98). This patch was backported for Mageia [4] and looks applicable to what we ship in Fedora (although we have a much older version). The patch from Mageia (or upstream) won't apply without changes, however, as it's adding a new error code. Judging from the patch, it's just making sure that the file name doesn't include '/' or '\\' (so no paths in the filename). [1] http://www.id.ee/?lang=en&id=34283#3_7_2 [2] https://bugs.mageia.org/show_bug.cgi?id=11100 [3] https://svn.eesti.ee/projektid/idkaart_public/ [4] http://svnweb.mageia.org/packages/updates/3/libdigidoc/current/SOURCES/libdigidoc-3.6.0.0-security-fix-DataFile-name-tag.patch?revision=472660&view=markup https://bugzilla.redhat.com/show_bug.cgi?id=1002299 Thanks. --Vincent Danen / Red Hat Security Response Team
Current thread:
- CVE request, libdigidoc arbitrary file overwrite flaw Vincent Danen (Aug 28)
- Re: CVE request, libdigidoc arbitrary file overwrite flaw cve-assign (Aug 28)