460180 – (CVE-2008-3791) CVE-2008-3791 gpicview: Insecure auxiliary /tmp file usage (symlink attack possible)

Bug 460180 (CVE-2008-3791) - CVE-2008-3791 gpicview: Insecure auxiliary /tmp file usage (symlink attack possible)

Summary: CVE-2008-3791 gpicview: Insecure auxiliary /tmp file usage (symlink attack po...

Keywords:
Status:	CLOSED UPSTREAM
Alias:	CVE-2008-3791
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2008-08-26 16:41 UTC by Jan Lieskovsky
Modified:	2019-09-29 12:26 UTC (History)
CC List:	2 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2010-04-19 21:59:27 UTC
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Debian BTS	495968	0	None	None	None	Never

Description Jan Lieskovsky 2008-08-26 16:41:54 UTC

Description of problem:

gpicview-0.1.9 creates for handling transient changes on the original
image file a temporary file with hardcoded name of /tmp/rot.jpg.
This file can be used by a malicious user to cause a symlink attack
and allow the user destroy the target of link.


Version-Release number of selected component (if applicable):
gpicview-0.1.9

How reproducible:
Always

Steps to Reproduce:
1. Create symlink to file /tmp/rot.jpg
2. Open some image file with gpicview
3. The target of the link will be erased.
  
Actual results:
Symlink attack possible.

Expected results:
No symlink attack possible.

Additional info:
Relevant part of the code:

main-win.c:    //rotate the image and save it to /tmp/rot.jpg
main-win.c:    int error = jpegtran (filename, "/tmp/rot.jpg" , code);
main-win.c:    //now copy /tmp/rot.jpg back to the original file
main-win.c:    sprintf(command,"cp /tmp/rot.jpg \"%s\"",filename);

References (upstream bug report):

http://sourceforge.net/tracker/index.php?func=detail&aid=2019481&group_id=180858&atid=894869

Comment 1 Jan Lieskovsky 2008-08-26 16:43:10 UTC

This issue affects the versions of the gpicview package as shipped within
the Fedora releases of 8, 9 and 10.

Comment 2 Tomas Hoger 2008-09-03 06:18:49 UTC

According to the current findings, this issue can allow arbitrary code execution via crafted file name:
  http://marc.info/?l=oss-security&m=122040004828615&w=4

Related Debian and Gentoo bug reports:
  http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=495968
  http://bugs.gentoo.org/show_bug.cgi?id=236525

Comment 3 Jan Lieskovsky 2008-09-23 13:34:30 UTC

Was unable to reproduce the arbitrary code execution (CVE-2008-3904) neither in LXDE (by using lxterminal) nor in Gnome(by using gnome-terminal),by following the steps as mentioned in:

http://www.openwall.com/lists/oss-security/2008/09/03/1

References: 

http://www.openwall.com/lists/oss-security/2008/08/30/1
http://www.openwall.com/lists/oss-security/2008/09/03/1

Proposed patch:

http://lxde.svn.sourceforge.net/viewvc/lxde/trunk/gpicview/src/main-win.c?sortby=date&r1=762&r2=845&pathrev=845

Comment 4 Vincent Danen 2010-04-19 21:59:27 UTC

This has been corrected upstream and the fix is in version 0.1.10 which is in EPEL5.  The corrected code also exists in the rotate_and_save_jpeg_lossless() function (relocated to jpeg-tran.c in 0.2.1, which is in Fedora 11+).

Note You need to log in before you can comment on or make changes to this bug.