Red Hat Bugzilla – Bug 253553
CVE-2007-4460 id3lib doesn't use mkstemp() to create a name of a temporary file
Last modified: 2007-11-30 17:12:13 EST
Description of problem:
233 String filename = tag.GetFileName();
234 String sTmpSuffix = ".XXXXXX";
242 strcpy(sTempFile, filename.c_str());
243 strcat(sTempFile, sTmpSuffix.c_str());
245 #if ((defined(__GNUC__) && __GNUC__ >= 3 ) || !defined(HAVE_MKSTEMP))
246 // This section is for Windows folk && gcc 3.x folk
247 fstream tmpOut;
248 createFile(sTempFile, tmpOut);
When compiled with gcc 3 or higher, file with a predictable name is created.
This can possibly be explited to conduct a symlink attack and either leak
information or overwrite arbitrary file on behalf of user using the library
(though I a have not had a look at createFile(), maybe the only problem is two
programs using the temporary file concurently).
The CVE identifier for this issue had been requested.
See URL for debian bug.
Mitre assigned CVE-2007-4460 identifier to this issue.
id3lib-3.8.3-17.fc7 has been pushed to the Fedora 7 stable repository. If problems still persist, please make note of it in this bug report.