oss-sec mailing list archives
Acrobat Reader 8.1.2 tmp racy wrapper script
From: Marcus Meissner <meissner () suse de>
Date: Thu, 21 Feb 2008 17:26:12 +0100
Hi, I wonder if we will ever get rid of tmpraces, but /usr/bin/acroread from Acrobat Reader 8.1.2 has this gem that shows someone is forgetting the past again: MkTemp() { if [ "${mktemp_count+set}" != "set" ]; then mktemp_count="0" fi mktemp_file="/tmp/acrobat.$$.${mktemp_count}" while /usr/bin/test -e "$mktemp_file" do mktemp_count="`expr $mktemp_count + 1`" mktemp_file="/tmp/adobe.$$.${mktemp_count}" done touch "$mktemp_file" && chmod 644 "$mktemp_file" && echo "$mktemp_file" } called by: LOGFILE="`MkTemp /tmp/ssl_logXXXXXX`" CERTNAME="`MkTemp /tmp/certi.cerXXXXXX`" CERTDATA="`MkTemp /tmp/certDataXXXXXX`" They seem to have replaced perfectly fine "mktemp" calls by their own unsecure wrapper again. Just replace it back by "mktemp" and it will work. No CVE allocated yet. I also have mailed PSIRT @ youknowhere. Since this code is only run if you start acroread with special options, it is not that problematic. Ciao, Marcus -- Working, but not speaking, for the following german company: SUSE LINUX Products GmbH, GF: Markus Rex, HRB 16746 (AG Nuernberg)
Current thread:
- Acrobat Reader 8.1.2 tmp racy wrapper script Marcus Meissner (Feb 21)
- Re: Acrobat Reader 8.1.2 tmp racy wrapper script Steven M. Christey (Feb 21)