gpicview-0.1.9 src/main-win.c uses hardcoded /tmp/rot.jpg for jpeg file saves.
This assumes that system only has one user and more importantly someone can easily create a symlink and cause gpicview to overwrite files. With a properly designed jpeg file that has embedded data it could easily be used to compromise a system.
I created a symlink. And the target was destroyed:
$ ls -l 00028.jpg /home/reed/important /tmp/rot.jpg
-rw-r--r-- 1 reed users 903936 Jul 16 07:43 /home/reed/important
lrwxr-xr-x 1 reed wheel 20 Jul 16 07:37 /tmp/rot.jpg -> /home/reed/important
-rw-r--r-- 1 reed users 903936 Jul 16 07:43 00028.jpg
Use mkstemp or other safe routine.
Log in to post a comment.