#41 gpicview unsafe /tmp usage

closed
nobody
None
5
2008-10-05
2008-07-16
Jeremy C. Reed
No

gpicview-0.1.9 src/main-win.c uses hardcoded /tmp/rot.jpg for jpeg file saves.

This assumes that system only has one user and more importantly someone can easily create a symlink and cause gpicview to overwrite files. With a properly designed jpeg file that has embedded data it could easily be used to compromise a system.

I created a symlink. And the target was destroyed:

$ ls -l 00028.jpg /home/reed/important /tmp/rot.jpg
-rw-r--r-- 1 reed users 903936 Jul 16 07:43 /home/reed/important
lrwxr-xr-x 1 reed wheel 20 Jul 16 07:37 /tmp/rot.jpg -> /home/reed/important
-rw-r--r-- 1 reed users 903936 Jul 16 07:43 00028.jpg

Use mkstemp or other safe routine.

Discussion

  • This has been fixed in r845 and the 0.1.10 release. Please close.

     
  • Jim Huang
    Jim Huang
    2008-10-05

    • status: open --> closed
     
  • Jim Huang
    Jim Huang
    2008-10-05

    Closed as requested.