Hi,
This has now been patched in latest jpegoptim (see
https://github.com/tjko/jpegoptim).
Next jpegoptim release (1.2.5) will use mkstemps() if its available on the
target platform.
Thanks,
Timo
On Thu, May 31, 2012 at 5:04 AM, A. N. Other <a.n.other.deb...@gmail.com>wrote:
> Package: jpegoptim
> Version: 1.2.3-2
> Severity: important
> Tags: patch, security
> X-Debbugs-Cc: t...@iki.fi
>
> (cc-ing Debian BTS report to jpegoptim upstream)
>
> For each image that it processes, jpegoptim currently creates a
> temporary file {destdir}/jpegoptim-{uid}-{pid}.tmp, where {destdir} is
> either the directory specified with the -d option or the dirname of
> the input filename, {uid} is the user id of the user running jpegoptim
> and {pid} is the process id of the jpegoptim process. It doesn't check
> whether the file already exists before opening it for writing.
>
> In certain circumstances, if a local attacker succeeds in creating a
> symlink with the same name, pointing to another file writeable to the
> user running jpegoptim, that file would be overwritten. The attacker
> would require sufficient permissions to {destdir}; in particular the
> attack would work if {destdir} == /tmp/.
>
> If jpegoptim is processing multiple files, the attacker wouldn't even
> have to guess the pid, as jpegoptim reuses the temporary filename.
>
> The attached patch uses mkstemp to create the temporary file, I think
> this enough to solve the problem in the case {destdir} == /tmp/
> (maybe jpegoptim should also check that the permissions on the
> {destdir} path aren't too lax).
>
--
Timo <t...@iki.fi>
