Bug 253553 (CVE-2007-4460)

Summary: CVE-2007-4460 id3lib doesn't use mkstemp() to create a name of a temporary file
Product: [Fedora] Fedora Reporter: Lubomir Kundrak <lkundrak>
Component: id3libAssignee: Hans de Goede <hdegoede>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: low Docs Contact:
Priority: low    
Version: 7Keywords: Security
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
URL: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=438540
Whiteboard: impact=moderate,source=cve
Fixed In Version: 3.8.3-17.fc7 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2007-08-24 05:41:05 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Description Lubomir Kundrak 2007-08-20 15:30:09 UTC
Description of problem:

233     String filename = tag.GetFileName();
234     String sTmpSuffix = ".XXXXXX";
...
242     strcpy(sTempFile, filename.c_str());
243     strcat(sTempFile, sTmpSuffix.c_str());
244 
245 #if ((defined(__GNUC__) && __GNUC__ >= 3  ) || !defined(HAVE_MKSTEMP))
246     // This section is for Windows folk && gcc 3.x folk
247     fstream tmpOut;
248     createFile(sTempFile, tmpOut);

When compiled with gcc 3 or higher, file with a predictable name is created.
This can possibly be explited to conduct a symlink attack and either leak
information or overwrite arbitrary file on behalf of user using the library
(though I a have not had a look at createFile(), maybe the only problem is two
programs using the temporary file concurently).

Additional info:

The CVE identifier for this issue had been requested.
See URL for debian bug.

Comment 1 Lubomir Kundrak 2007-08-21 21:11:54 UTC
Mitre assigned CVE-2007-4460 identifier to this issue.

Comment 2 Fedora Update System 2007-08-24 05:40:59 UTC
id3lib-3.8.3-17.fc7 has been pushed to the Fedora 7 stable repository.  If problems still persist, please make note of it in this bug report.