[Secure-testing-team] Bug#598134: ocrodjvu: insecure use of temporary files
Jakub Wilk
jwilk at debian.org
Sun Sep 26 18:51:48 UTC 2010
Package: ocrodjvu
Version: 0.4.6-1
Severity: grave
Tags: security
Justification: user security hole
If Cuneiform is used as OCR engine, ocrodjvu atomically creates
a temporary file in /tmp (or $TMPDIR) and then runs
cuneiform -l <language> -f hocr -o <tmpoutputfile> <inputfile>
This turns out to be insecure: in some circumstances (e.g. if OCRed
paged contains illustrations), Cuneiform creates additional files in the
same directory as output file. As a consequence, a local attacker can
overwrite arbitrary files via a symlink attack.
--
Jakub Wilk
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 836 bytes
Desc: Digital signature
URL: <http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20100926/0bd52d5e/attachment.pgp>
More information about the Secure-testing-team
mailing list