Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20140907074739.GA29387@alf.mars>
Date: Sun, 7 Sep 2014 09:47:39 +0200
From: Helmut Grohne <helmut@...divi.de>
To: oss-security@...ts.openwall.com
Subject: CVE request: /tmp file vulnerability in ace

Please assign a CVE number for the ace build process using predictable
filenames in a world-writeable directory (DAC violation).

Upstream: http://www.dre.vanderbilt.edu/~schmidt/ACE.html

In bin/generate_doxygen.pl line 177 it says:
> my $output = "/tmp/".$i.".".$$.".doxygen";

This path is later opened for writing. For context, see:
http://sources.debian.net/src/ace/6.2.7%2Bdfsg-1/bin/generate_doxygen.pl/#L177

Initial disclosure: http://bugs.debian.org/760709

(end of CVE request)

A quick "grep -r /tmp $ace_source" indicates more occasions that may be
worth researching. Most of the results reside within examples or
documentation though.

An interesting find is bin/g++-dep line 63:
> TMP=/tmp/g++dep$$
This path is also used for writing. The context can be found at:
http://sources.debian.net/src/ace/6.2.7%2Bdfsg-1/bin/g%2B%2Bdep/#L63
I am not sure whether instance is actually executed during the build,
but the Debian package installs it to the development package available
for user consumption.

Thanks

Helmut

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.