#41 gpicview unsafe /tmp usage

closed
nobody
None
5
2008-10-05
2008-07-16
No

gpicview-0.1.9 src/main-win.c uses hardcoded /tmp/rot.jpg for jpeg file saves.

This assumes that system only has one user and more importantly someone can easily create a symlink and cause gpicview to overwrite files. With a properly designed jpeg file that has embedded data it could easily be used to compromise a system.

I created a symlink. And the target was destroyed:

$ ls -l 00028.jpg /home/reed/important /tmp/rot.jpg
-rw-r--r-- 1 reed users 903936 Jul 16 07:43 /home/reed/important
lrwxr-xr-x 1 reed wheel 20 Jul 16 07:37 /tmp/rot.jpg -> /home/reed/important
-rw-r--r-- 1 reed users 903936 Jul 16 07:43 00028.jpg

Use mkstemp or other safe routine.

Discussion

  • Robert Buchholz

    Robert Buchholz - 2008-09-13

    This has been fixed in r845 and the 0.1.10 release. Please close.

     
  • Jim Huang

    Jim Huang - 2008-10-05
    • status: open --> closed
     
  • Jim Huang

    Jim Huang - 2008-10-05

    Closed as requested.

     

Log in to post a comment.

Get latest updates about Open Source Projects, Conferences and News.

Sign up for the SourceForge newsletter:





No, thanks