xsane: tempfile handled insecurely

From: Kevin Dalley (kevind@rahul.net)
Date: Sun Feb 27 2000 - 16:04:35 PST

Next message: Oliver Rauch: "Re: xsane: tempfile handled insecurely"

Previous message: Bruce Burden: "Re: xsane as root"
Next in thread: Oliver Rauch: "Re: xsane: tempfile handled insecurely"
Reply: Oliver Rauch: "Re: xsane: tempfile handled insecurely"
Reply: Oliver Rauch: "Re: xsane: tempfile handled insecurely"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This problem was reported by a Debian user with xsane-0.49.

With this version of xsane it is possible to let a user overwrite his
own files. Take for example user A with UID 1000 and user B who wants
to overwrite a file of A. In this case B creates a symlink
/tmp/preview-level-0-1000-mustek:_dev_sg1.ppm (1000 is the UID of user
A, mustek:_dev_sg1.ppm is the specification of the scanner) to some
file owned by user A, which B wants to be overwritten. If user A uses
xsane in combination with the preview window the next time, it will
overwrite the file, where the symlink points to, without asking
before.

IMHO xsane should check whether the preview file in /tmp is a real
file and whether it is owned by the user who runs xsane. Otherwise
this is a security hole.

-- Kevin Dalley kevind@rahul.net

-- Source code, list archive, and docs: http://www.mostang.com/sane/ To unsubscribe: echo unsubscribe sane-devel | mail majordomo@mostang.com

Next message: Oliver Rauch: "Re: xsane: tempfile handled insecurely"
Previous message: Bruce Burden: "Re: xsane as root"
Next in thread: Oliver Rauch: "Re: xsane: tempfile handled insecurely"
Reply: Oliver Rauch: "Re: xsane: tempfile handled insecurely"
Reply: Oliver Rauch: "Re: xsane: tempfile handled insecurely"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b29 : Sun Feb 27 2000 - 15:59:48 PST