Bug 676061 - tesseract: arbitrary file overwrite vulnerability
tesseract: arbitrary file overwrite vulnerability
Status: CLOSED CURRENTRELEASE
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
low Severity low
: ---
: ---
Assigned To: Red Hat Product Security
public=20100719,reported=20110208,sou...
: Security
Depends On: 676062
Blocks:
  Show dependency treegraph
 
Reported: 2011-02-08 13:10 EST by Vincent Danen
Modified: 2015-08-19 05:05 EDT (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-12-23 13:25:42 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Vincent Danen 2011-02-08 13:10:34 EST
A Debian bug report [1],[2] indicated that tesseract is vulnerable to an arbitrary file overwrite flaw.  If a user could guess the PID of the tesseract process and create a symlink in /tmp, they could cause the overwrite of any file that the user running tesseract has write access to.  In ccutil/debugwin.cpp we have:

253   length +=
254     sprintf (command + length,
255     ""stty opost; tty >/tmp/debug%d; while [ -s /tmp/debug%d ]\ndo\nsleep 1\ndone" &\n",
256     pid, pid);
257   length +=
258     sprintf (command + length, "trap "rm -f /tmp/debug%d; kill -9 $!" 0\n",
259     pid);
260   length += sprintf (command + length, "trap "exit" 1 2 3 13 15\n");
261   length +=
262     sprintf (command + length,
263     "while [ ! -s /tmp/debug%d ]\ndo\nsleep 1\ndone\n", pid);
264   length += sprintf (command + length, "trap "" 1 2 3 13 15\n");
265   length += sprintf (command + length, "ofile=`cat /tmp/debug%d`\n", pid);
266   length +=
267     sprintf (command + length, "cat -u - >$ofile; rm /tmp/debug%d\n", pid);

[1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=612032
[2] https://bugs.launchpad.net/ubuntu/+source/tesseract/+bug/607297
Comment 1 Vincent Danen 2011-02-08 13:11:16 EST
Created tesseract tracking bugs for this issue

Affects: fedora-all [bug 676062]
Comment 2 Vincent Danen 2012-09-10 18:47:51 EDT
Debian and Ubuntu's approach was to disable this functionality rather than fix the temporary file issues.  Not sure if we want to use the same approach:

--- debugwin.cpp.orig   2012-09-10 16:44:19.401189019 -0600
+++ debugwin.cpp        2012-09-10 16:46:51.759485593 -0600
@@ -31,7 +31,8 @@
 
 DLLSYM INT_VAR (debug_lines, 256, "Number of lines in debug window");
 
-#ifndef GRAPHICS_DISABLED
+#if 0
+/* disabled */
 
 #ifdef __MAC__
 #include          <ltextedit.h>
Comment 3 Vincent Danen 2013-12-23 13:25:42 EST
The current tesseract 3.02.02 as found in current Fedora releases (version 18+) no longer contain this debugwin.cpp file, nor is there any /tmp/debug* files written any longer, so this has been corrected upstream.

Note You need to log in before you can comment on or make changes to this bug.