[Secure-testing-team] Bug#830660: liblept5: hardcoded predictable paths in /tmp

Sven Hartge sven at svenhartge.de
Sat Jul 9 23:47:17 UTC 2016 

Package: liblept5
Version: 1.73-2
Severity: important
Tags: security

Hi!

A discussion in the German Usenet group de.comp.os.unix.linux.misc,
starting at MID:<nlppqc$frq$1 at news.albasani.net> revealed some serious
security problems in leptonlib. (At least I think so.)

The leptonlib-progs and more important the liblept5 library hardcode
several predictable paths in /tmp and /tmp/lept:

https://codesearch.debian.net/search?q=%22/tmp+package%3Aleptonlib+filetype%3Ac

Not only would this allow a symlink attack (which is why I added the
security tag) but since the code does not clean the created paths, if
one user runs some program which uses liblept5, like tesseract-ocr, then
no other user can use it, because /lib/lept/... exists belonging to the
first user.

In addition to that, the code seams to honor $TMPDIR but not in all
places.

For example the program /usr/bin/splitimage2pdf from leptonica-progs
only works if $TMPDIR is not set or set to "/tmp", because while the
getPathname() function _does_ use TMPDIR, if it is set, the codes in
prog/splitimage2pdf hard codes the path "/tmp/junk_split_image.ps" as
the path to call "ps2pdf" with later.

If $TMPDIR is unset or set to /tmp, the codes leaves two predictably
named files behind in /tmp:

oweh at skuld:~$ ls -lrtc /tmp/junk*
-rw-r--r-- 1 oweh oweh 277230 Jul 10 01:31 /tmp/junk_split_image.ps
-rw-r--r-- 1 oweh oweh   1139 Jul 10 01:31 /tmp/junk_split_image.jpg

Any other user now trying to use the program or programs using the
liblept5 library will get errors.

If $TMPDIR is set (for example my pam_tmpdir), those files are created
in /tmp/user/<UID_OF_USER>, but some parts of the code don't honor this
environment variable and expect the temporary files directly in /tmp or
/tmp/lept.

Things like this can be found all over the place and from looking at the
code I am a bit frightended what a more indept audit might reveal.

Grüße,
Sven.

-- System Information:
Debian Release: stretch/sid
  APT prefers unstable-debug
  APT policy: (500, 'unstable-debug'), (500, 'unstable'), (400, 'testing'), (100, 'experimental'), (1, 'experimental-debug')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.6.0-1-amd64 (SMP w/12 CPU cores)
Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages liblept5 depends on:
ii  libc6            2.23-1
ii  libgif7          5.1.4-0.3
ii  libjpeg62-turbo  1:1.5.0-1
ii  libopenjp2-7     2.1.0-2.1+b1
ii  libpng16-16      1.6.23-1
ii  libtiff5         4.0.6-1
ii  libwebp5         0.4.4-1.1
ii  zlib1g           1:1.2.8.dfsg-2+b1

liblept5 recommends no packages.

liblept5 suggests no packages.

-- no debconf information

More information about the Secure-testing-team mailing list