[Secure-testing-team] Bug#654341: inkscape reads .eps files from /tmp instead of the current directory

Vincent Lefevre vincent at vinc17.net
Tue Jan 3 03:01:12 UTC 2012 

Package: inkscape
Version: 0.48.1-2.1+b1
Severity: grave
Tags: security
Justification: user security hole

When I want to open a .eps file with something like

  inkscape file.eps

inkscape tries to open the file from /tmp instead of the current
directory (if the file doesn't exist, I get a ghostscript error from
ps2pdf, which is the same error as when ps2pdf is run manually).

According to strace, inkscape does a chdir to /tmp before running
ps2pdf on the argument, hence the problem.

The security problem is that the user A may open a file belonging
to some user B from /tmp, which can contain incorrect data, an
offensive image and so on. It can also be a symbolic link to some
protected file of user A (which may inadvertently diffused to other
users) or to some other special file that shouldn't be read, such as
/proc/<pid>/fd/0, which can make program <pid> behave incorrectly.

-- System Information:
Debian Release: wheezy/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (500, 'testing'), (500, 'stable'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 3.1.0-1-amd64 (SMP w/2 CPU cores)
Locale: LANG=POSIX, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages inkscape depends on:
ii  libaspell15         0.60.7~20110707-1
ii  libatk1.0-0         2.2.0-2
ii  libatkmm-1.6-1      2.22.6-1
ii  libc6               2.13-24
ii  libcairo2           1.10.2-6.2
ii  libcairomm-1.0-1    1.10.0-1
ii  libfontconfig1      2.8.0-3
ii  libfreetype6        2.4.8-1
ii  libgc1c2            1:7.1-8
ii  libgcc1             1:4.6.2-9
ii  libgconf2-4         3.2.3-1
ii  libgdk-pixbuf2.0-0  2.24.0-2
ii  libglib2.0-0        2.30.2-4
ii  libglibmm-2.4-1c2a  2.30.0-2
ii  libgnomevfs2-0      1:2.24.4-1
ii  libgomp1            4.6.2-9
ii  libgsl0ldbl         1.15+dfsg-1
ii  libgtk2.0-0         2.24.8-2
ii  libgtkmm-2.4-1c2a   1:2.24.2-1
ii  libgtkspell0        2.0.16-1
ii  liblcms1            1.19.dfsg-1+b1
ii  libmagick++4        8:6.6.9.7-5+b2
ii  libmagickcore4      8:6.6.9.7-5+b2
ii  libpango1.0-0       1.29.4-2
ii  libpangomm-1.4-1    2.28.4-1
ii  libpng12-0          1.2.46-3
ii  libpoppler-glib6    0.16.7-2+b1
ii  libpoppler13        0.16.7-2+b1
ii  libpopt0            1.16-3
ii  libsigc++-2.0-0c2a  2.2.9-1.1
ii  libstdc++6          4.6.2-9
ii  libwpd-0.9-9        0.9.4-1
ii  libwpg-0.2-2        0.2.1-1
ii  libx11-6            2:1.4.4-4
ii  libxml2             2.7.8.dfsg-5.1
ii  libxslt1.1          1.1.26-8
ii  zlib1g              1:1.2.3.4.dfsg-3

Versions of packages inkscape recommends:
ii  aspell       0.60.7~20110707-1
ii  imagemagick  8:6.6.9.7-5+b2
ii  libwmf-bin   <none>
ii  perlmagick   <none>
ii  pstoedit     3.60-1

Versions of packages inkscape suggests:
pn  dia | dia-gnome      <none>
pn  libgnomevfs2-extra   1:2.24.4-1
pn  libsvg-perl          <none>
pn  libxml-xql-perl      <none>
pn  python               2.7.2-9
pn  python-lxml          <none>
pn  python-numpy         1:1.5.1-3
pn  python-uniconvertor  <none>
pn  ruby                 4.8
pn  ruby1.8 [ruby]       1.8.7.352-2
pn  skencil              <none>

-- no debconf information

More information about the Secure-testing-team mailing list