Bug 959433 (CVE-2015-7810) - CVE-2015-7810 libbluray (MountManager): TOCTOU race when expanding JAR files
Summary: CVE-2015-7810 libbluray (MountManager): TOCTOU race when expanding JAR files
Keywords:
Status: CLOSED WONTFIX
Alias: CVE-2015-7810
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 959238
Blocks: 959437
TreeView+ depends on / blocked
 
Reported: 2013-05-03 13:14 UTC by Jan Lieskovsky
Modified: 2019-09-29 13:04 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2016-06-01 09:33:26 UTC


Attachments (Terms of Use)

Description Jan Lieskovsky 2013-05-03 13:14:56 UTC
A time-of-check time-of-use (TOCTOU) race condition flaw was found in the way the MountManager class implementation of libbluray, a library to access Blu-Ray disks for video playback, performed expansion of JAR archives / files. A local attacker, with write privilege (in)to a directory, where MountManager class performed JAR files expansion, could use this flaw to conduct symbolic link attacks (possibly leading to their ability to [recursively] delete or overwrite arbitrary directory, accessible with the privileges of the user running the application utilizing the libbluray library).

This issue was discovered by Florian Weimer of Red Hat Product Security Team.

Comment 1 Jan Lieskovsky 2013-05-03 13:17:10 UTC
This issue affects the versions of the libbluray package, as shipped with Fedora release of 17, 18, and Fedora EPEL-6.

Comment 2 Kurt Seifried 2015-02-23 02:32:42 UTC
From the original report by Florian Weimer:

Creating a temporary file, deleting it, and re-creating it as a directory is racy:

        File tmpDir = null;
        try {
            jar = new JarFile(path);
            tmpDir = File.createTempFile("bdj-", "");
        } catch (IOException e) {
            e.printStackTrace();
            throw new MountException();
        }
        
        // create temporary directory
        tmpDir.delete();
        tmpDir.mkdir();

Another user might create a directory with wide permissions and do nasty stuff in there.

Comment 3 Adam Mariš 2015-11-03 12:49:30 UTC
CVE was assigned:

http://seclists.org/oss-sec/2015/q4/70


Note You need to log in before you can comment on or make changes to this bug.