Red Hat Bugzilla – Bug 460180
CVE-2008-3791 gpicview: Insecure auxiliary /tmp file usage (symlink attack possible)
Last modified: 2010-04-19 17:59:27 EDT
Description of problem:
gpicview-0.1.9 creates for handling transient changes on the original
image file a temporary file with hardcoded name of /tmp/rot.jpg.
This file can be used by a malicious user to cause a symlink attack
and allow the user destroy the target of link.
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. Create symlink to file /tmp/rot.jpg
2. Open some image file with gpicview
3. The target of the link will be erased.
Symlink attack possible.
No symlink attack possible.
Relevant part of the code:
main-win.c: //rotate the image and save it to /tmp/rot.jpg
main-win.c: int error = jpegtran (filename, "/tmp/rot.jpg" , code);
main-win.c: //now copy /tmp/rot.jpg back to the original file
main-win.c: sprintf(command,"cp /tmp/rot.jpg \"%s\"",filename);
References (upstream bug report):
This issue affects the versions of the gpicview package as shipped within
the Fedora releases of 8, 9 and 10.
According to the current findings, this issue can allow arbitrary code execution via crafted file name:
Related Debian and Gentoo bug reports:
Was unable to reproduce the arbitrary code execution (CVE-2008-3904) neither in LXDE (by using lxterminal) nor in Gnome(by using gnome-terminal),by following the steps as mentioned in:
This has been corrected upstream and the fix is in version 0.1.10 which is in EPEL5. The corrected code also exists in the rotate_and_save_jpeg_lossless() function (relocated to jpeg-tran.c in 0.2.1, which is in Fedora 11+).