[Bug 459031] New: VUL-0: [openSUSE:Factory:Contrib/pdfjam] has / tmp problems
https://bugzilla.novell.com/show_bug.cgi?id=459031 Summary: VUL-0: [openSUSE:Factory:Contrib/pdfjam] has /tmp problems Product: openSUSE.org Version: unspecified Platform: Other OS/Version: Other Status: NEW Severity: Normal Priority: P5 - None Component: 3rd party software AssignedTo: puzel@novell.com ReportedBy: meissner@novell.com QAContact: opensuse-communityscreening@forge.provo.novell.com CC: security-team@suse.de, opensuse-contrib@opensuse.org Found By: Security Response Team the 3 scripts in pdfjam all zuse /tmp unsafely. instead of: tempfileDir="/var/tmp" use tempfileDir=`mktemp -d /var/tmp/something.XXXXXXX` ( 6 X ) .. catch error ... .. remove tempfileDir at end of script ... -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=459031 Petr Uzel <puzel@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |ASSIGNED -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=459031 User puzel@novell.com added comment https://bugzilla.novell.com/show_bug.cgi?id=459031#c1 Petr Uzel <puzel@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|ASSIGNED |NEEDINFO Info Provider| |meissner@novell.com --- Comment #1 from Petr Uzel <puzel@novell.com> 2008-12-15 09:10:46 MST --- Marcus, why exactly is this unsafe? The scripts create various files in tempfileDir, but every such file contains script PID ($$) in the filename. So concurrent run of multiple instances shouldn't IMHO be a problem. Or am I missing something? Thanks, -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=459031 User meissner@novell.com added comment https://bugzilla.novell.com/show_bug.cgi?id=459031#c2 Marcus Meissner <meissner@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC|opensuse-contrib@opensuse.org | Status|NEEDINFO |ASSIGNED Info Provider|meissner@novell.com | --- Comment #2 from Marcus Meissner <meissner@novell.com> 2008-12-15 09:12:37 MST --- removing the list from cc to avoid spam. you can predict the PID of the script. Ecven the range is easy to do , just create 32768 symlinks. Also some of the scripts (IIRC) generate multiple files with from the same PID, you can just wait for the first one to be created and then create the next one. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=459031 Petr Uzel <puzel@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Priority|P5 - None |P4 - Low -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=459031 User meissner@novell.com added comment https://bugzilla.novell.com/show_bug.cgi?id=459031#c3 --- Comment #3 from Marcus Meissner <meissner@novell.com> 2009-01-07 13:20:41 MST --- from oss-sec: Martin Väth also discovered an untrusted search path vulnerability in the pdfjam scripts: They prepend . to PATH, allowing attackers to execute code by preparing executables (e.g. sed) in the directory pdfnup was run from or in /var/tmp (e.g. pdflatex, cp, rm). Martin also prepared a patch, see: https://bugs.gentoo.org/show_bug.cgi?id=252734 Please assign another CVE for this issue. Robert -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=459031 User meissner@novell.com added comment https://bugzilla.novell.com/show_bug.cgi?id=459031#c4 --- Comment #4 from Marcus Meissner <meissner@novell.com> 2009-01-07 13:20:56 MST --- Reply-To: oss-security@lists.openwall.com Date: Wed, 7 Jan 2009 13:57:46 -0500 (EST) From: "Steven M. Christey" <coley@linus.mitre.org> To: oss-security@lists.openwall.com Cc: Tomas Hoger <thoger@redhat.com>, coley@mitre.org Subject: Re: [oss-security] CVE request - pdfjam ====================================================== Name: CVE-2008-5843 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5843 Reference: MLIST:[oss-security] 20081228 Re: CVE request - pdfjam Reference: URL:http://openwall.com/lists/oss-security/2008/12/28/3 Reference: CONFIRM:https://bugs.gentoo.org/show_bug.cgi?id=252734 Multiple untrusted search path vulnerabilities in pdfjam allow local users to gain privileges via a Trojan horse program in (1) the current working directory or (2) /var/tmp, related to the (a) pdf90, (b) pdfjoin, and (c) pdfnup scripts. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=459031 User puzel@novell.com added comment https://bugzilla.novell.com/show_bug.cgi?id=459031#c5 --- Comment #5 from Petr Uzel <puzel@novell.com> 2009-01-08 03:52:54 MST --- Thanks for the link - I've just submitted fixed package to Contrib. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=459031 User puzel@novell.com added comment https://bugzilla.novell.com/show_bug.cgi?id=459031#c8 Petr Uzel <puzel@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|ASSIGNED |RESOLVED Resolution| |FIXED --- Comment #8 from Petr Uzel <puzel@novell.com> 2009-01-08 05:44:17 MST --- Closing (see comment #5). -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=459031 User lnussel@novell.com added comment https://bugzilla.novell.com/show_bug.cgi?id=459031#c9 --- Comment #9 from Ludwig Nussel <lnussel@novell.com> 2009-03-09 03:53:59 MST --- ====================================================== Name: CVE-2008-5743 pdfjam creates the (1) pdf90, (2) pdfjoin, and (3) pdfnup files with a predictable name, which allows local users to overwrite arbitrary files via a symlink attack. Reference: MISC: https://bugzilla.novell.com/show_bug.cgi?id=459031 Reference: BID: http://www.securityfocus.com/bid/32931 Reference: MLIST: http://www.openwall.com/lists/oss-security/2008/12/19/3 Reference: SECUNIA: http://secunia.com/advisories/33278 -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
participants (1)
-
bugzilla_noreply@novell.com