didjvu, pdf2djvu insecure use of /tmp

2015.05.10

Credit: Jakub Wilk

Risk: Low

Local: Yes

Remote: No

CVE: N/A

CWE: N/A

didjvu and pdf2djvu are DjVu encoders that both use c44 (a command-line IW44 encoder, part of DjVuLibre) under the hood. More precisely, this is what they do:

* create a unique temporary file directly in /tmp (or in $TMPDIR)
* pass name of this file to c44 as the output file name

Unfortunately, it turns out that c44 deletes the output file, and then creates a new one under the same name (without O_EXCL). This opens a race window, during which malicious user could their own file under this name.


The bugs were fixed in didjvu 0.4 and pdf2djvu 0.7.21.


References:
https://bitbucket.org/jwilk/didjvu/issue/8
https://bitbucket.org/jwilk/pdf2djvu/issue/103
http://sourceforge.net/p/djvu/djvulibre-git/ci/release.3.5.27.1/tree/tools/c44.cpp#l769

--
Jakub Wilk

References:

https://bitbucket.org/jwilk/didjvu/issue/8

https://bitbucket.org/jwilk/pdf2djvu/issue/103

http://sourceforge.net/p/djvu/djvulibre-git/ci/release.3.5.27.1/tree/tools/c44.cpp#l769

http://seclists.org/oss-sec/2015/q2/399

See this note in RAW Version

Vote for this issue:

50%

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

didjvu, pdf2djvu insecure use of /tmp

References:

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

didjvu, pdf2djvu insecure use of /tmp

References:

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.