Bug#756565: lives: Numerous insecure temporary files used in smogrify
Steve Kemp
steve at steve.org.uk
Wed Jul 30 22:23:41 UTC 2014
Package: lives
Version: 1.6.2
Severity: important
Tags: security
lives contains a perl script, smogrify, which is what does
a lot of the work.
I don't want to point out line-by-line all the issues in the
smogrify script, but please consider significantly overhauling it.
There are numerous insecure uses of temporary files. For example:
if ($command eq "get_window_id") {
smog_system("xwininfo > \"$curtmpdir/tmpinfo\"");
smog_system("grep \"Window id:\" \"$curtmpdir/tmpinfo\" > \"$curtmpdir/tmpinfo2\"");
if (defined(open IN,"< $curtmpdir/tmpinfo2")) {
read IN,$win_id,128;
close IN;
}
You'll see that $curtmpdir is set to /tmp/smogrify, via code such as:
$handle=$ARGV[1];
$curtmpdir="$tmpdir/$handle";
To investigate all the issues is beyond my free timeframe, but I'd suggest
a decent starting point is to run the whole system under strace and grep
for /tmp in open|close|unlink|creat calls.
Steve
--
-- System Information:
Debian Release: 7.6
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 3.14-0.bpo.1-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_US.UTF8, LC_CTYPE=en_US.UTF8 (charmap=UTF-8) (ignored: LC_ALL set to en_US.UTF8)
Shell: /bin/sh linked to /bin/dash
More information about the pkg-multimedia-maintainers
mailing list