|
Message-Id: <1219661157.7715.13.camel@iankko.englab.brq.redhat.com> Date: Mon, 25 Aug 2008 12:45:57 +0200 From: Jan Lieskovsky <jlieskov@...hat.com> To: coley@...re.org Cc: oss-security@...ts.openwall.com Subject: CVE Request (gpicview) Hello Steve, could you please allocate a CVE id for the following three gpicview issues: 1, http://sourceforge.net/tracker/index.php?func=detail&aid=2019481&group_id=180858&atid=894869 Possible symlink attack via the temporary created "/tmp/rot.jpg" file used for image rotation. 2, http://sourceforge.net/tracker/index.php?func=detail&aid=2019485&group_id=180858&atid=894869 Related part of the code (the check for previous same filename file existence is done only in the 'main_win_save' function): #ifdef HAVE_LIBJPEG if(strcmp(type,"jpeg")==0){ if(rotate_and_save_jpeg_lossless(file_name,mw->rotation_angle)!=0) main_win_show_error(mw, "Save failed! Check permissions."); } else #endif main_win_save( mw, file_name, type, pref.ask_before_save ); By presence of the LIBJPEG library we could without confirmation rewrite the by the symlink targeted JPEG filesystem file. 3, http://sourceforge.net/tracker/index.php?func=detail&aid=2019492&group_id=180858&atid=894869 Related part of the code: void on_rotate_clockwise( GtkWidget* btn, MainWin* mw ) { rotate_image( mw, GDK_PIXBUF_ROTATE_CLOCKWISE ); mw->rotation_angle += 90; if(pref.auto_save_rotated){ pref.ask_before_save = FALSE; on_save(btn,mw); pref.ask_before_save = TRUE; } } Consequences: Bad enough, just think about them in context of the two previously mentioned issues. Public mention of these issues: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=495968 Thank you in advance! Kind regards Jan iankko Lieskovsky RH Security Resposne Team
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.