Package: fotoxx
Version: 11.11.1-1.1
Severity: important
Tags: security
(Irrelevent) Printing Issues
----------------------------
All three versions of fotoxx packaged for Debian (squeeze, wheezy, and jessie)
make insecure use of a temporary file when printing in the function `wprintp`
in zfuncs.cc.
// print text dialogs
void wprintp()
{
pid = getpid();
snprintf(tempfile,49,"/tmp/wprintp-%d",pid);
err = wfiledump(mLog,tempfile);
if (err) return;
}
Happily this code doesn't ever seem to be called, so it can be safely removed.
Email Attachments
-----------------
In version 11.11.1-1.1 (wheezy-only) the code to handle adding attachments to
emails is seriously broken.
The code in question is located in the function `email_dialog_event` in the
file `fotoxx_tools.cc`, and in brief it:
1. Creates a temporary directory:
/tmp/$USER/fotoxx/email
2. Removes *.jpg from that directory.
3. Copies the selected files to that directory, mandating a fixed naming
pattern, after resizing/downsampling.
4. Builds up a command line:
xdg-email --attach file1 --attach file2 ..
5. Executes it.
The third step allows file-truncation and overwriting, due to the lack of
testing for collisions in the output step.
Global Lockfile
---------------
In version 11.11.1-1.1 (wheezy-only) the file
"/tmp/global_lock_fotoxx_syncfiles" is used insecurely
as an attempt to avoid multiple syncs.
Create the lockfile as a symlink and fotoxx will gladly follow it, creating an
empty file. This
could perhaps be leveraged if the symlink pointed to /etc/cron.d, or DoS via
the creation of
/etc/nologin if fotoxx is ever executed as root.
$ ln -s /tmp/foo /tmp/global_lock_fotoxx_syncfiles
$ ls -l /tmp/global_lock_fotoxx_syncfiles
/tmp/global_lock_fotoxx_syncfiles -> /tmp/foo
ls -l /tmp/foo
ls: cannot access /tmp/foo: No such file or directory
Now launch fotoxx and see that the file has been created:
$ ls -1 /tmp/foo
/tmp/foo
14.07.1
-------
This seems to unsafely create /tmp/fotoxx-%s based on the PID of the
process. This should be investigated too.
-- System Information:
Debian Release: 7.6
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 3.14-0.bpo.1-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_US.UTF8, LC_CTYPE=en_US.UTF8 (charmap=UTF-8) (ignored: LC_ALL
set to en_US.UTF8)
Shell: /bin/sh linked to /bin/dash
Versions of packages fotoxx depends on:
ii libatk1.0-0 2.4.0-2
ii libc6 2.13-38+deb7u4
ii libcairo2 1.12.2-3
ii libfontconfig1 2.9.0-7.1
ii libfreetype6 2.4.9-1.1
ii libgcc1 1:4.7.2-5
ii libgdk-pixbuf2.0-0 2.26.1-1
ii libglib2.0-0 2.33.12+really2.32.4-5
ii libgtk2.0-0 2.24.10-2
ii libpango1.0-0 1.30.0-1
ii libstdc++6 4.7.2-5
ii libtiff4 3.9.6-11
Versions of packages fotoxx recommends:
ii libimage-exiftool-perl 8.60-2
pn libtiff <none>
ii ufraw-batch 0.18-2
pn xgd-open <none>
Versions of packages fotoxx suggests:
ii brasero 3.4.1-4
-- no debconf information
--
To UNSUBSCRIBE, email to [email protected]
with a subject of "unsubscribe". Trouble? Contact [email protected]
