A Debian bug report [1],[2] indicated that tesseract is vulnerable to an arbitrary file overwrite flaw. If a user could guess the PID of the tesseract process and create a symlink in /tmp, they could cause the overwrite of any file that the user running tesseract has write access to. In ccutil/debugwin.cpp we have: 253 length += 254 sprintf (command + length, 255 ""stty opost; tty >/tmp/debug%d; while [ -s /tmp/debug%d ]\ndo\nsleep 1\ndone" &\n", 256 pid, pid); 257 length += 258 sprintf (command + length, "trap "rm -f /tmp/debug%d; kill -9 $!" 0\n", 259 pid); 260 length += sprintf (command + length, "trap "exit" 1 2 3 13 15\n"); 261 length += 262 sprintf (command + length, 263 "while [ ! -s /tmp/debug%d ]\ndo\nsleep 1\ndone\n", pid); 264 length += sprintf (command + length, "trap "" 1 2 3 13 15\n"); 265 length += sprintf (command + length, "ofile=`cat /tmp/debug%d`\n", pid); 266 length += 267 sprintf (command + length, "cat -u - >$ofile; rm /tmp/debug%d\n", pid); [1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=612032 [2] https://bugs.launchpad.net/ubuntu/+source/tesseract/+bug/607297
This should be handled by stabilizing a 3.* version in bug 454872.
Ready for vote, I vote NO.
GLSA vote: no, too. Closing noglsa.
