Bug 676061

Summary: tesseract: arbitrary file overwrite vulnerability
Product: [Other] Security Response Reporter: Vincent Danen <vdanen>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED CURRENTRELEASE QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: karlikt
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-12-23 18:25:42 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 676062    
Bug Blocks:    

Description Vincent Danen 2011-02-08 18:10:34 UTC 
A Debian bug report [1],[2] indicated that tesseract is vulnerable to an arbitrary file overwrite flaw.  If a user could guess the PID of the tesseract process and create a symlink in /tmp, they could cause the overwrite of any file that the user running tesseract has write access to.  In ccutil/debugwin.cpp we have:

253   length +=
254     sprintf (command + length,
255     ""stty opost; tty >/tmp/debug%d; while [ -s /tmp/debug%d ]\ndo\nsleep 1\ndone" &\n",
256     pid, pid);
257   length +=
258     sprintf (command + length, "trap "rm -f /tmp/debug%d; kill -9 $!" 0\n",
259     pid);
260   length += sprintf (command + length, "trap "exit" 1 2 3 13 15\n");
261   length +=
262     sprintf (command + length,
263     "while [ ! -s /tmp/debug%d ]\ndo\nsleep 1\ndone\n", pid);
264   length += sprintf (command + length, "trap "" 1 2 3 13 15\n");
265   length += sprintf (command + length, "ofile=`cat /tmp/debug%d`\n", pid);
266   length +=
267     sprintf (command + length, "cat -u - >$ofile; rm /tmp/debug%d\n", pid);

[1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=612032
[2] https://bugs.launchpad.net/ubuntu/+source/tesseract/+bug/607297
Comment 1 Vincent Danen 2011-02-08 18:11:16 UTC 
Created tesseract tracking bugs for this issue

Affects: fedora-all [bug 676062]
Comment 2 Vincent Danen 2012-09-10 22:47:51 UTC 
Debian and Ubuntu's approach was to disable this functionality rather than fix the temporary file issues.  Not sure if we want to use the same approach:

--- debugwin.cpp.orig   2012-09-10 16:44:19.401189019 -0600
+++ debugwin.cpp        2012-09-10 16:46:51.759485593 -0600
@@ -31,7 +31,8 @@
 
 DLLSYM INT_VAR (debug_lines, 256, "Number of lines in debug window");
 
-#ifndef GRAPHICS_DISABLED
+#if 0
+/* disabled */
 
 #ifdef __MAC__
 #include          <ltextedit.h>
Comment 3 Vincent Danen 2013-12-23 18:25:42 UTC 
The current tesseract 3.02.02 as found in current Fedora releases (version 18+) no longer contain this debugwin.cpp file, nor is there any /tmp/debug* files written any longer, so this has been corrected upstream.