A time-of-check time-of-use (TOCTOU) race condition flaw was found in the way the MountManager class implementation of libbluray, a library to access Blu-Ray disks for video playback, performed expansion of JAR archives / files. A local attacker, with write privilege (in)to a directory, where MountManager class performed JAR files expansion, could use this flaw to conduct symbolic link attacks (possibly leading to their ability to [recursively] delete or overwrite arbitrary directory, accessible with the privileges of the user running the application utilizing the libbluray library). This issue was discovered by Florian Weimer of Red Hat Product Security Team.
This issue affects the versions of the libbluray package, as shipped with Fedora release of 17, 18, and Fedora EPEL-6.
From the original report by Florian Weimer: Creating a temporary file, deleting it, and re-creating it as a directory is racy: File tmpDir = null; try { jar = new JarFile(path); tmpDir = File.createTempFile("bdj-", ""); } catch (IOException e) { e.printStackTrace(); throw new MountException(); } // create temporary directory tmpDir.delete(); tmpDir.mkdir(); Another user might create a directory with wide permissions and do nasty stuff in there.
CVE was assigned: http://seclists.org/oss-sec/2015/q4/70