It was reported [1],[2] that ID-software 3.7.2 (libdigidoc): "Fixed one critical bug in the DDOC parsing routines. By persuading a victim to open a specially-crafted DDOC file, a remote attacker could exploit this vulnerability to overwrite arbitrary files on the system with the privileges of the victim." The patch is in svn (not the repository from code.google.com/p/esteid, but from svn.eesti.ee) [3] (r98). This patch was backported for Mageia [4] and looks applicable to what we ship in Fedora (although we have a much older version). The patch from Mageia (or upstream) won't apply without changes, however, as it's adding a new error code. Judging from the patch, it's just making sure that the file name doesn't include '/' or '\\' (so no paths in the filename). [1] http://www.id.ee/?lang=en&id=34283#3_7_2 [2] https://bugs.mageia.org/show_bug.cgi?id=11100 [3] https://svn.eesti.ee/projektid/idkaart_public/ [4] http://svnweb.mageia.org/packages/updates/3/libdigidoc/current/SOURCES/libdigidoc-3.6.0.0-security-fix-DataFile-name-tag.patch?revision=472660&view=markup
Created libdigidoc tracking bugs for this issue: Affects: fedora-all [bug 1002302]
This issue was assigned the name CVE-2013-5648: http://www.openwall.com/lists/oss-security/2013/08/29/2
libdigidoc-3.9.1.1191-1.fc21 has been pushed to the Fedora 21 stable repository. If problems still persist, please make note of it in this bug report.