A Debian bug report [1],[2] indicated that tesseract is vulnerable to an arbitrary file overwrite flaw. If a user could guess the PID of the tesseract process and create a symlink in /tmp, they could cause the overwrite of any file that the user running tesseract has write access to. In ccutil/debugwin.cpp we have: 253 length += 254 sprintf (command + length, 255 ""stty opost; tty >/tmp/debug%d; while [ -s /tmp/debug%d ]\ndo\nsleep 1\ndone" &\n", 256 pid, pid); 257 length += 258 sprintf (command + length, "trap "rm -f /tmp/debug%d; kill -9 $!" 0\n", 259 pid); 260 length += sprintf (command + length, "trap "exit" 1 2 3 13 15\n"); 261 length += 262 sprintf (command + length, 263 "while [ ! -s /tmp/debug%d ]\ndo\nsleep 1\ndone\n", pid); 264 length += sprintf (command + length, "trap "" 1 2 3 13 15\n"); 265 length += sprintf (command + length, "ofile=`cat /tmp/debug%d`\n", pid); 266 length += 267 sprintf (command + length, "cat -u - >$ofile; rm /tmp/debug%d\n", pid); [1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=612032 [2] https://bugs.launchpad.net/ubuntu/+source/tesseract/+bug/607297
Created tesseract tracking bugs for this issue Affects: fedora-all [bug 676062]
Debian and Ubuntu's approach was to disable this functionality rather than fix the temporary file issues. Not sure if we want to use the same approach: --- debugwin.cpp.orig 2012-09-10 16:44:19.401189019 -0600 +++ debugwin.cpp 2012-09-10 16:46:51.759485593 -0600 @@ -31,7 +31,8 @@ DLLSYM INT_VAR (debug_lines, 256, "Number of lines in debug window"); -#ifndef GRAPHICS_DISABLED +#if 0 +/* disabled */ #ifdef __MAC__ #include <ltextedit.h>
The current tesseract 3.02.02 as found in current Fedora releases (version 18+) no longer contain this debugwin.cpp file, nor is there any /tmp/debug* files written any longer, so this has been corrected upstream.