A vulnerability was found in the onionshare application. Onionshare uses /tmp/onionshare to create a temporary directory $HS that is then used for the creation of a tor hidden service, as HiddenServiceDir configuration. Then, the tor daemon creates 2 files in $HS But onionshare doesn't verify the owner or the exact permission of /tmp/onionshare. So if a attacker pre-create a directory /tmp/onionshare with 777 permissions and him as a owner, he can use a race condition to inject his own files in the share. References: http://seclists.org/oss-sec/2016/q2/392 Vulnerable code: https://github.com/micahflee/onionshare/blob/master/onionshare/hs.py#L105
Created onionshare tracking bugs for this issue: Affects: fedora-all [bug 1339510] Affects: epel-all [bug 1339511]
Upstream fix -> https://github.com/micahflee/onionshare/commit/70c55511b13ae04b2108b8cb2317
This CVE Bugzilla entry is for community support informational purposes only as it does not affect a package in a commercially supported Red Hat product. Refer to the dependent bugs for status of those individual community products.