Jakub Wilk
2010-Sep-26 18:51 UTC
[Secure-testing-team] Bug#598134: ocrodjvu: insecure use of temporary files
Package: ocrodjvu Version: 0.4.6-1 Severity: grave Tags: security Justification: user security hole If Cuneiform is used as OCR engine, ocrodjvu atomically creates a temporary file in /tmp (or $TMPDIR) and then runs cuneiform -l <language> -f hocr -o <tmpoutputfile> <inputfile> This turns out to be insecure: in some circumstances (e.g. if OCRed paged contains illustrations), Cuneiform creates additional files in the same directory as output file. As a consequence, a local attacker can overwrite arbitrary files via a symlink attack. -- Jakub Wilk -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 836 bytes Desc: Digital signature URL: <http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20100926/0bd52d5e/attachment.pgp>