CVE request, libdigidoc arbitrary file overwrite flaw

[Vincent Danen <vdanen () redhat com>]

I did not see a CVE for this or a request for the same, so can one be
assigned please?  Just going to cut and paste from our bugzilla:

It was reported [1],[2] that ID-software 3.7.2 (libdigidoc):

"Fixed one critical bug in the DDOC parsing routines. By persuading a
victim to open a specially-crafted DDOC file, a remote attacker could
exploit this vulnerability to overwrite arbitrary files on the system
with the privileges of the victim."

The patch is in svn (not the repository from code.google.com/p/esteid,
but from svn.eesti.ee) [3] (r98).  This patch was backported for Mageia
[4] and looks applicable to what we ship in Fedora (although we have a
much older version).  The patch from Mageia (or upstream) won't apply
without changes, however, as it's adding a new error code.  Judging from
the patch, it's just making sure that the file name doesn't include '/'
or '\\' (so no paths in the filename).


[1] http://www.id.ee/?lang=en&id=34283#3_7_2
[2] https://bugs.mageia.org/show_bug.cgi?id=11100
[3] https://svn.eesti.ee/projektid/idkaart_public/
[4] 
http://svnweb.mageia.org/packages/updates/3/libdigidoc/current/SOURCES/libdigidoc-3.6.0.0-security-fix-DataFile-name-tag.patch?revision=472660&view=markup

https://bugzilla.redhat.com/show_bug.cgi?id=1002299

Thanks.

--
Vincent Danen / Red Hat Security Response Team