First Last Prev Next    No search results available      Search page      Enter new bug
Bug#: 165940
Alias:
Product:
Component:
Status: RESOLVED
Resolution: FIXED
Assigned To: media-gfx herd <graphics@gentoo.org>
Hardware:
OS:
Version:
Priority:
Severity:
Reporter: Andrew Aylett <gentoo@aylett.co.uk>
Add CC:
CC:
Remove selected CCs
URL:
Summary:
Status Whiteboard:
Keywords:

Filename Description Type Creator Created Size Actions
Create a New Attachment (proposed patch, testcase, etc.) View All

Bug 165940 depends on: Show dependency tree
Show dependency graph
Bug 165940 blocks:
Votes: 0    Show votes for this bug    Vote for this bug

Additional Comments: (this is where you put emerge --info)







View Bug Activity   |   Format For Printing   |   XML   |   Clone This Bug

Description:   Opened: 2007-02-08 16:54 0000 
The exifautotran script included in media-libs/jpeg uses a hardcoded name
'tempfile' for temporary file operations.  This will also obviously fail if you
don't have write privilages for the current directory.

The security aspect is a potential symlink vulnerability, as well as the issue
of the script overwriting any other 'tempfile' you might have in the current
directory.  It also makes running multiple instances of the script somewhat
challenging.

Reproducible: Always

Steps to Reproduce:
1. Create a file in the local directory called 'tempfile'
2. Find a JPEG file where the exif data says the image requires rotation
(http://old.aylett.co.uk/~axa/img_0183.jpg)
3. Run exifautotran on that jpeg file
4. Run exifautotran on a fresh instance of the jpeg file from a directory you
have no write access to

Actual Results:  
The file created in step one is gone, step four fails

Expected Results:  
The file is left intact, both steps three and four result in a rotated jpeg
file

Simple fix to use mktemp instead:

--- exifautotran~       2007-01-02 16:44:23.000000000 +0000
+++ exifautotran        2007-02-08 16:24:38.000000000 +0000
@@ -27,14 +27,15 @@
  8) transform="-rotate 270";;
  *) transform="";;
  esac
+ TMPFILE=`mktemp` || exit 1
  if test -n "$transform"; then
   echo Executing: jpegtran -copy all $transform $i >&2
-  jpegtran -copy all $transform "$i" > tempfile
+  jpegtran -copy all $transform "$i" > $TMPFILE
   if test $? -ne 0; then
    echo Error while transforming $i - skipped. >&2
+   rm $TMPFILE
   else
    rm "$i"
-   mv tempfile "$i"
+   mv $TMPFILE "$i"
    jpegexiforient -1 "$i" > /dev/null
   fi
  fi

------- Comment #1 From Tavis Ormandy (RETIRED) 2007-02-08 17:07:15 0000 ------- 
Thanks for the report, although its not good practice for the reasons you
describe, the security team wont usually consider using the cwd insecurely as a
security issue unless there are exceptional circumstances. However, the
maintainer may wish to apply your patch anyway.

Believe it or not, this is actually reccommended by several well published
secure coding guides (eg, check out the Secure Programming HOWTO, section
7.10.1.2).

Reassinging to graphics team...

------- Comment #2 From SpanKY 2007-02-09 06:42:50 0000 ------- 
fixed in jpeg-6b-r8
First Last Prev Next    No search results available      Search page      Enter new bug