Description of problem: gpicview-0.1.9 creates for handling transient changes on the original image file a temporary file with hardcoded name of /tmp/rot.jpg. This file can be used by a malicious user to cause a symlink attack and allow the user destroy the target of link. Version-Release number of selected component (if applicable): gpicview-0.1.9 How reproducible: Always Steps to Reproduce: 1. Create symlink to file /tmp/rot.jpg 2. Open some image file with gpicview 3. The target of the link will be erased. Actual results: Symlink attack possible. Expected results: No symlink attack possible. Additional info: Relevant part of the code: main-win.c: //rotate the image and save it to /tmp/rot.jpg main-win.c: int error = jpegtran (filename, "/tmp/rot.jpg" , code); main-win.c: //now copy /tmp/rot.jpg back to the original file main-win.c: sprintf(command,"cp /tmp/rot.jpg \"%s\"",filename); References (upstream bug report): http://sourceforge.net/tracker/index.php?func=detail&aid=2019481&group_id=180858&atid=894869
This issue affects the versions of the gpicview package as shipped within the Fedora releases of 8, 9 and 10.
According to the current findings, this issue can allow arbitrary code execution via crafted file name: http://marc.info/?l=oss-security&m=122040004828615&w=4 Related Debian and Gentoo bug reports: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=495968 http://bugs.gentoo.org/show_bug.cgi?id=236525
Was unable to reproduce the arbitrary code execution (CVE-2008-3904) neither in LXDE (by using lxterminal) nor in Gnome(by using gnome-terminal),by following the steps as mentioned in: http://www.openwall.com/lists/oss-security/2008/09/03/1 References: http://www.openwall.com/lists/oss-security/2008/08/30/1 http://www.openwall.com/lists/oss-security/2008/09/03/1 Proposed patch: http://lxde.svn.sourceforge.net/viewvc/lxde/trunk/gpicview/src/main-win.c?sortby=date&r1=762&r2=845&pathrev=845
This has been corrected upstream and the fix is in version 0.1.10 which is in EPEL5. The corrected code also exists in the rotate_and_save_jpeg_lossless() function (relocated to jpeg-tran.c in 0.2.1, which is in Fedora 11+).