Package: fbi
Version: 2.01-1.4
Severity: important
Tags: security patch
Hi,
the fbgs script uses an unsafe way to create its tempdir:
mkdir -p /var/tmp/fbps-$$
and proceeds to write to fixed filenames in this folder.
This can be raced to overwrite arbitrary files of the user running fbgs.
A patch is attached.
regards,
Jan
-- System Information:
Debian Release: testing/unstable
APT prefers testing
APT policy: (990, 'testing')
Architecture: i386 (i686)
Shell: /bin/sh linked to /bin/dash
Kernel: Linux 2.6.15-1-k7
Locale: LANG=C, LC_CTYPE=de_DE (charmap=ISO-8859-1)
Versions of packages fbi depends on:
ii libc6 2.3.6-3 GNU C Library: Shared libraries an
ii libcurl3 7.15.3-1 Multi-protocol file transfer libra
ii libexif12 0.6.13-4 library to parse EXIF files
ii libfontconfig1 2.3.2-1.1 generic font configuration library
ii libfreetype6 2.1.10-1 FreeType 2 font engine, shared lib
ii libjpeg62 6b-12 The Independent JPEG Group's JPEG
ii libpcd2 1.0.1 A library for reading PhotoCD imag
ii libpng12-0 1.2.8rel-5 PNG library - runtime
ii libtiff4 3.8.0-3 Tag Image File Format (TIFF) libra
ii libungif4g 4.1.4-2 shared library for GIF images (run
ii zlib1g 1:1.2.3-11 compression library - runtime
fbi recommends no packages.
-- no debconf information
diff -ru fbida-2.01.orig/fbgs fbida-2.01/fbgs
--- fbida-2.01.orig/fbgs 2004-03-28 13:32:16.000000000 +0200
+++ fbida-2.01/fbgs 2006-04-08 02:49:37.000000000 +0200
@@ -1,8 +1,8 @@
#!/bin/bash
# tmp dir
-DIR="${TMPDIR-/var/tmp}/fbps-$$"
-mkdir -p $DIR || exit 1
+DIR=`mktemp -dtp /var/tmp fbgs-XXXXXX`
+[ -d $DIR ] || exit 1
trap "rm -rf $DIR" EXIT
# parse options
