oss-sec mailing list archives
CVE requests: didjvu, pdf2djvu: insecure use of /tmp
From: Jakub Wilk <jwilk () jwilk net>
Date: Sun, 10 May 2015 00:22:30 +0200
didjvu and pdf2djvu are DjVu encoders that both use c44 (a command-line IW44 encoder, part of DjVuLibre) under the hood. More precisely, this is what they do:
* create a unique temporary file directly in /tmp (or in $TMPDIR) * pass name of this file to c44 as the output file nameUnfortunately, it turns out that c44 deletes the output file, and then creates a new one under the same name (without O_EXCL). This opens a race window, during which malicious user could their own file under this name.
The bugs were fixed in didjvu 0.4 and pdf2djvu 0.7.21. Please assign CVEs to these vulnerabilities. References: https://bitbucket.org/jwilk/didjvu/issue/8 https://bitbucket.org/jwilk/pdf2djvu/issue/103 http://sourceforge.net/p/djvu/djvulibre-git/ci/release.3.5.27.1/tree/tools/c44.cpp#l769 -- Jakub Wilk
Current thread:
- CVE requests: didjvu, pdf2djvu: insecure use of /tmp Jakub Wilk (May 09)