[pkg-wine-party] Bug#868737: gnome-exe-thumbnailer: unsafe use of /tmp
Ansgar Burchardt
ansgar at debian.org
Tue Jul 18 07:31:36 UTC 2017
Package: gnome-exe-thumbnailer
Version: 0.9.4-2
Severity: important
Tags: security upstream
gnome-exe-thumbnailer creates temporary files in /tmp using `mktemp`
(e.g. ${TEMPFILE1}), but also uses those names with a suffix
(e.g. ${TEMPFILE1}.vbs) which is not safe to do.
Examples are (from [1]):
+---
| # Try to extract all icons:
| icotool --extract $TEMPFILE1 -o /tmp
|
| # There's always a 32x32x32 icon in "Vista" icons, but just to be sure:
| [ -s ${TEMPFILE1}_${INDEX}_32x32x${BITDEPTH}.png ] && ICON=${TEMPFILE1}_${INDEX}_32x32x${BITDEPTH}.png
+---( lines 264--268 )
+---
| DISPLAY=NONE wine cscript.exe //E:vbs //NoLogo Z:\\tmp\\${TEMPFILE1##*/}.vbs 2>/dev/null \
+---( line 374 )
The latter seems to be gone with the upstream changes for #868705.
It also removes all files whose name starts with ${TEMPFILE1} which
might in theory also be ones it did not create:
+---
| rm $TEMPFILE1* $TEMPFILE2 $TEMPTHUMB
+---( line 407 )
Using a temporary directory (`mktemp -d`) instead of just files should
help avoid these issues. It should probably also quit early in case
`mktemp` failed.
Ansgar
[1] <http://sources.debian.net/src/gnome-exe-thumbnailer/0.9.4-2/usr/bin/gnome-exe-thumbnailer>
More information about the pkg-wine-party
mailing list