Hugin was reported to create temporary / debug files in unsafe manner. During the optimizer run, it creates debug output file with pre-defined name: /tmp/hugin_debug_optim_results.txt . If file was already created by other user, hugin gives an error message. This problem can be abused by malicious local user to perform symlink attack against user running hugin, which will result in overwrite of arbitrary file writable by user running hugin with panorama optimizer output. There does not seem to be any upstream patch at the moment. Updated package was released for openSuSE, which resolves this problem by disabling creation of debug file.
There isn't an upstream patch because nobody at opensuse bothered to contact upstream before creating a CVE. The fix however is a simple one-liner: sed -i 's/define DEBUG_WRITE_OPTIM_OUTPUT$/undef DEBUG_WRITE_OPTIM_OUTPUT/' \ src/Panorama/PTOptimise.cpp Though currently hugin isn't buildable for either f7 or f8 due to #295521 so this one is stucked.
Yes, this is probably the easiest way to fix this. However, upstream may want to develop other fix, which does not sacrifice some functionality (I'm not trying to say fix above is wrong ;). According to comments in huginApp.cpp, there is some intention to fix temp file usage: // FIXME, make secure against some symlink attacks
Created attachment 236541 [details] Patch to fix CVE-2007-5200 This is the upstream patch to fix this and another similar bug. Note that releasing a new hugin still depends on bug #295521
This is well over a month and still not resolved. Do you need any help other than oneliner fix in rebuilding wxGTK?
The patch and updated hugin.spec files for FC-6, F-7, F-8 and devel are in CVS. I can't actually run `make tag` so I'm giving up on this one: [bruno@moo FC-6]$ cd ../F-7 [bruno@moo F-7]$ make tag cvs tag -c hugin-0_6_1-11_fc7 cvs tag: Tagging . T .cvsignore T Makefile T branch T hugin-0.6.1-CVE-2007-5200.patch T hugin.spec T sources Tagged with: hugin-0_6_1-11_fc7 [bruno@moo F-7]$ cd ../F-8/ [bruno@moo F-8]$ make tag error: Macro %dist has empty body error: Macro %dist has empty body error: Macro % has illegal name (%define) error: Macro % has illegal name (%define) error: Macro %dist has empty body error: Macro %dist has empty body error: Macro % has illegal name (%define) error: Macro % has illegal name (%define) error: Macro %dist has empty body error: Macro %dist has empty body error: Macro % has illegal name (%define) error: Macro % has illegal name (%define) error: Macro %dist has empty body error: Macro %dist has empty body error: Macro % has illegal name (%define) error: Macro % has illegal name (%define) error: Macro %dist has empty body error: Macro %dist has empty body error: Macro % has illegal name (%define) error: Macro % has illegal name (%define) error: Macro %dist has empty body error: Macro %dist has empty body error: Macro % has illegal name (%define) error: Macro % has illegal name (%define) error: Macro %dist has empty body error: Macro %dist has empty body error: Macro % has illegal name (%define) error: Macro % has illegal name (%define) error: Macro %dist has empty body error: Macro %dist has empty body error: Macro % has illegal name (%define) error: Macro % has illegal name (%define) cvs tag -c hugin-0_6_1-11_fc7 ERROR: The tag hugin-0_6_1-11_fc7 is already applied on a different branch ERROR: You can not forcibly move tags between branches hugin-0_6_1-5_fc6:devel:bpostle:1174424717 hugin-0_6_1-5_fc5:FC-5:bpostle:1174425164 hugin-0_6_1-6_fc7:devel:bpostle:1174425968 hugin-0_6_1-6_fc5:FC-5:bpostle:1174425980 hugin-0_6_1-6_fc6:FC-6:bpostle:1174425991 hugin-0_6_1-7_fc7:F-7:bpostle:1187035915 hugin-0_6_1-7_fc8:devel:bpostle:1187035930 hugin-0_6_1-8_fc8:devel:bpostle:1187730420 hugin-0_6_1-9_fc8:devel:bpostle:1187814430 hugin-0_6_1-10_fc8:devel:bpostle:1194300775 hugin-0_6_1-10_fc7:F-8:bpostle:1194300791 hugin-0_6_1-11_fc6:FC-6:bpostle:1194301109 hugin-0_6_1-11_fc7:F-7:bpostle:1194301120 cvs tag: Pre-tag check failed cvs [tag aborted]: correct the above errors first! make: *** [tag] Error 1
Bruno: No idea what your issue was (you had up-to date CVS checked out?), but seems like there were no changes to Makefiles. Anyways, thanks for the patch I was able to successfully tag and build all affected branches.
hugin-0.6.1-11.fc8 has been pushed to the Fedora 8 stable repository. If problems still persist, please make note of it in this bug report.
(In reply to comment #7) > Bruno: No idea what your issue was (you had up-to date CVS checked out?) I hadn't updated 'common', this has happened to me before... > I was able to successfully tag and build all affected branches. Thanks, there was no wxGTK release, is bug #295521 local to my system only?
(In reply to comment #9) > > I was able to successfully tag and build all affected branches. > Thanks, there was no wxGTK release, is bug #295521 local to my system only? Huh, I even forgot about that :) Anyways, as you can see, the package built. That can mean that either some other build root change (gcc or whatever) solved that or it is really specific to your configuration. Which version do you run, are you completly up-to-date?
I am/was up to date, the system is x86_64. I can switch between the two wxGTK packages and reproduce, though it looks like I need to try this in mock and update the bug report as necessary.
hugin-0.6.1-11.fc7 has been pushed to the Fedora 7 stable repository. If problems still persist, please make note of it in this bug report.