Bug 460180 - (CVE-2008-3791) CVE-2008-3791 gpicview: Insecure auxiliary /tmp file usage (symlink attack possible)
CVE-2008-3791 gpicview: Insecure auxiliary /tmp file usage (symlink attack po...
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
: Security
Depends On:
  Show dependency treegraph
Reported: 2008-08-26 12:41 EDT by Jan Lieskovsky
Modified: 2010-04-19 17:59 EDT (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2010-04-19 17:59:27 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

External Trackers
Tracker ID Priority Status Summary Last Updated
Debian BTS 495968 None None None Never

  None (edit)
Description Jan Lieskovsky 2008-08-26 12:41:54 EDT
Description of problem:

gpicview-0.1.9 creates for handling transient changes on the original
image file a temporary file with hardcoded name of /tmp/rot.jpg.
This file can be used by a malicious user to cause a symlink attack
and allow the user destroy the target of link.

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. Create symlink to file /tmp/rot.jpg
2. Open some image file with gpicview
3. The target of the link will be erased.
Actual results:
Symlink attack possible.

Expected results:
No symlink attack possible.

Additional info:
Relevant part of the code:

main-win.c:    //rotate the image and save it to /tmp/rot.jpg
main-win.c:    int error = jpegtran (filename, "/tmp/rot.jpg" , code);
main-win.c:    //now copy /tmp/rot.jpg back to the original file
main-win.c:    sprintf(command,"cp /tmp/rot.jpg \"%s\"",filename);

References (upstream bug report):

Comment 1 Jan Lieskovsky 2008-08-26 12:43:10 EDT
This issue affects the versions of the gpicview package as shipped within
the Fedora releases of 8, 9 and 10.
Comment 2 Tomas Hoger 2008-09-03 02:18:49 EDT
According to the current findings, this issue can allow arbitrary code execution via crafted file name:

Related Debian and Gentoo bug reports:
Comment 3 Jan Lieskovsky 2008-09-23 09:34:30 EDT
Was unable to reproduce the arbitrary code execution (CVE-2008-3904) neither in LXDE (by using lxterminal) nor in Gnome(by using gnome-terminal),by following the steps as mentioned in:




Proposed patch:

Comment 4 Vincent Danen 2010-04-19 17:59:27 EDT
This has been corrected upstream and the fix is in version 0.1.10 which is in EPEL5.  The corrected code also exists in the rotate_and_save_jpeg_lossless() function (relocated to jpeg-tran.c in 0.2.1, which is in Fedora 11+).

Note You need to log in before you can comment on or make changes to this bug.