[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

address@hidden: Bug#538330: groff: pdfroff uses (and documents!) insecur

From: Colin Watson
Subject: address@hidden: Bug#538330: groff: pdfroff uses (and documents!) insecure temporary files]
Date: Tue, 11 Aug 2009 09:51:14 -0000
User-agent: Mutt/1.5.18 (2008-05-17)

See attached report; this is indeed a standard anti-pattern resulting in
security vulnerabilities. In Debian I'd be rather tempted to use 'mktemp
-d' to fix this. What do you think?

Colin Watson                                       address@hidden
--- Begin Message --- Subject: Bug#538330: groff: pdfroff uses (and documents!) insecure temporary files Date: Fri, 24 Jul 2009 21:15:37 +0000 User-agent: Mutt/1.5.20 (2009-06-14)
Package: groff
Version: 1.20.1-4
Severity: grave
File: /usr/bin/pdfroff
Tags: security

According to pdfroff(1) (and my inspection of the source code), pdfroff
uses $$ (the current pid) to create temporary files.  This is extremely
easy to predict, and thus, insecure.

Please fix both the code and the documentation so that they securely
generate (or reference) temporary files.

-- System Information:
Debian Release: squeeze/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.30-1-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/zsh4

Versions of packages groff depends on:
ii  groff-base                    1.20.1-4   GNU troff text-formatting system (
ii  libc6                         2.9-21     GNU C Library: Shared libraries
ii  libgcc1                       1:4.4.1-1  GCC support library
ii  libice6                       2:1.0.5-1  X11 Inter-Client Exchange library
ii  libsm6                        2:1.1.0-2  X11 Session Management library
ii  libstdc++6                    4.4.1-1    The GNU Standard C++ Library v3
ii  libx11-6                      2:1.2.2-1  X11 client-side library
ii  libxaw7                       2:1.0.5-2  X11 Athena Widget library
ii  libxmu6                       2:1.0.4-1  X11 miscellaneous utility library
ii  libxt6                        1:1.0.5-3  X11 toolkit intrinsics library

Versions of packages groff recommends:
ii  ghostscript                8.64~dfsg-13  The GPL Ghostscript PostScript/PDF
ii  imagemagick                7: image manipulation programs
ii  libpaper1                  1.1.23+nmu1   library for handling paper charact
ii  netpbm                     2:10.0-12     Graphics conversion tools
ii  psutils                    1.17-26       A collection of PostScript documen

groff suggests no packages.

-- no debconf information

brian m. carlson / brian with sandals: Houston, Texas, US
+1 713 440 7475 | http://crustytoothpaste.ath.cx/~bmc | My opinion only
OpenPGP: RSA v4 4096b 88AC E9B2 9196 305B A994 7552 F1BA 225C 0223 B187

Attachment: signature.asc
Description: Digital signature

--- End Message ---

reply via email to

[Prev in Thread] Current Thread [Next in Thread]