Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Sun, 28 Dec 2008 14:55:57 +0100
From: Robert Buchholz <rbu@...too.org>
To: oss-security@...ts.openwall.com
Cc: Tomas Hoger <thoger@...hat.com>,
 coley@...re.org
Subject: Re: CVE request - pdfjam

On Friday 19 December 2008, Tomas Hoger wrote:
> Hi!
>
> Insecure temporary file handling flaw was reported for pdfjam:
>
> https://bugzilla.novell.com/show_bug.cgi?id=459031
>
> Issue affects all 3 scripts shipped in pdfjam: pdf90, pdfjoin and
> pdfnup
>
> They create various temporary files in tempfileDir (/var/tmp),
> process id ($$) is used for file name uniqueness.

Martin Väth also discovered an untrusted search path vulnerability in 
the pdfjam scripts: They prepend . to PATH, allowing attackers to 
execute code by preparing executables (e.g. sed) in the directory 
pdfnup was run from or in /var/tmp (e.g. pdflatex, cp, rm).

Martin also prepared a patch, see:
https://bugs.gentoo.org/show_bug.cgi?id=252734

Please assign another CVE for this issue.

Robert

Download attachment "signature.asc " of type "application/pgp-signature" (836 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.