236525 – (CVE-2008-3791) media-gfx/gpicview Insecure tempfile and shell metadata in filename (CVE-2008-3791, CVE-2008-3904)

Bug 236525 (CVE-2008-3791) - media-gfx/gpicview Insecure tempfile and shell metadata in filename (CVE-2008-3791, CVE-2008-3904)

Summary: media-gfx/gpicview Insecure tempfile and shell metadata in filename (CVE-2008...

Status:	RESOLVED FIXED

Alias:	CVE-2008-3791

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	High trivial (vote)
Assignee:	Gentoo Security

URL:	http://thread.gmane.org/gmane.comp.se...
Whiteboard:	~2 [noglsa]
Keywords:

Depends on:
Blocks:

Reported:	2008-09-03 00:06 UTC by Robert Buchholz (RETIRED)
Modified:	2008-09-13 17:56 UTC (History)
CC List:	1 user (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Robert Buchholz (RETIRED) gentoo-dev

2008-09-03 00:06:18 UTC

http://sourceforge.net/tracker/index.php?func=detail&aid=2019481&group_id=180858&atid=894869

Possible symlink attack via the temporary created "/tmp/rot.jpg" 
file used for image rotation.

Furthermore Nico Golde reported discovered that shell code could be executed via crafted filenames:
http://thread.gmane.org/gmane.comp.security.oss.general/845/focus=872

A patch can be found at the debian bug (not reviewed yet):
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=495968

Comment 1 Markus Meier gentoo-dev

2008-09-12 21:01:13 UTC

*gpicview-0.1.10 (12 Sep 2008)

  12 Sep 2008; Markus Meier <maekke@gentoo.org> -gpicview-0.1.8.ebuild,
  -gpicview-0.1.9.ebuild, +gpicview-0.1.10.ebuild:
  bump to 0.1.10, remove old ebuilds, security bug #236525

this should fix the mentioned security bugs (I checked /tmp/rot.jpg bug)

Comment 2 Robert Buchholz (RETIRED) gentoo-dev

2008-09-13 17:56:53 UTC

confirmed, thanks for bumping. Closing [noglsa].