oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

CVE requests: didjvu, pdf2djvu: insecure use of /tmp

From: Jakub Wilk <jwilk () jwilk net>
Date: Sun, 10 May 2015 00:22:30 +0200
didjvu and pdf2djvu are DjVu encoders that both use c44 (a command-line IW44 encoder, part of DjVuLibre) under the hood. More precisely, this is what they do: 

* create a unique temporary file directly in /tmp (or in $TMPDIR)
* pass name of this file to c44 as the output file name
Unfortunately, it turns out that c44 deletes the output file, and then creates a new one under the same name (without O_EXCL). This opens a race window, during which malicious user could their own file under this name. 

The bugs were fixed in didjvu 0.4 and pdf2djvu 0.7.21.
Please assign CVEs to these vulnerabilities.

References:
https://bitbucket.org/jwilk/didjvu/issue/8
https://bitbucket.org/jwilk/pdf2djvu/issue/103
http://sourceforge.net/p/djvu/djvulibre-git/ci/release.3.5.27.1/tree/tools/c44.cpp#l769

--
Jakub Wilk
Previous By Date Next
Previous By Thread Next

Current thread: