oss-sec mailing list archives

Re: CVE Request (gpicview)

From: Nico Golde <oss-security+ml () ngolde de>
Date: Sun, 31 Aug 2008 01:46:25 +0200

Hi Jan,
* Jan Lieskovsky <jlieskov () redhat com> [2008-08-25 13:06]:

  could you please allocate a CVE id for the following
three gpicview issues:

1,

http://sourceforge.net/tracker/index.php?func=detail&aid=2019481&group_id=180858&atid=894869

Possible symlink attack via the temporary created "/tmp/rot.jpg" 
file used for image rotation.

[...] 
Same piece of code main-win.c doesn't look too trustworthy 
to me either:

    690     int error = jpegtran (filename, "/tmp/rot.jpg" , code);
    691     if(error)
    692         return error;
    693 
    694     //now copy /tmp/rot.jpg back to the original file
    695     char command[strlen(filename)+50]; //this should not generate buffer owerflow
    696     // MS: didn't know, how to make it better, maybe an own copy routine
    697     sprintf(command,"cp /tmp/rot.jpg \"%s\"",filename);
    698     system(command);

Anyone played with crafted file names?
Cheers
Nico

-- 
Nico Golde - http://www.ngolde.de - nion () jabber ccc de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.

Attachment: _bin
Description:

Current thread:

CVE Request (gpicview) Jan Lieskovsky (Aug 25)
- Re: CVE Request (gpicview) Steven M. Christey (Aug 26)
  - Re: CVE Request (gpicview) Jan Lieskovsky (Aug 26)
  - Re: CVE Request (gpicview) Robert Buchholz (Sep 13)
- Re: CVE Request (gpicview) Nico Golde (Aug 30)
  - Re: CVE Request (gpicview) Jan Lieskovsky (Aug 31)
    - Re: CVE Request (gpicview) Nico Golde (Sep 04)
  - Re: CVE Request (gpicview) Robert Buchholz (Sep 02)
    - Re: CVE Request (gpicview) Nico Golde (Sep 04)
    - Re: CVE Request (gpicview) Steven M. Christey (Sep 04)