didjvu, pdf2djvu insecure use of /tmp

2015.05.10
Credit: Jakub Wilk
Risk: Low
Local: Yes
Remote: No
CVE: N/A
CWE: N/A

didjvu and pdf2djvu are DjVu encoders that both use c44 (a command-line IW44 encoder, part of DjVuLibre) under the hood. More precisely, this is what they do: * create a unique temporary file directly in /tmp (or in $TMPDIR) * pass name of this file to c44 as the output file name Unfortunately, it turns out that c44 deletes the output file, and then creates a new one under the same name (without O_EXCL). This opens a race window, during which malicious user could their own file under this name. The bugs were fixed in didjvu 0.4 and pdf2djvu 0.7.21. References: https://bitbucket.org/jwilk/didjvu/issue/8 https://bitbucket.org/jwilk/pdf2djvu/issue/103 http://sourceforge.net/p/djvu/djvulibre-git/ci/release.3.5.27.1/tree/tools/c44.cpp#l769 -- Jakub Wilk

References:

https://bitbucket.org/jwilk/didjvu/issue/8
https://bitbucket.org/jwilk/pdf2djvu/issue/103
http://sourceforge.net/p/djvu/djvulibre-git/ci/release.3.5.27.1/tree/tools/c44.cpp#l769
http://seclists.org/oss-sec/2015/q2/399


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top