URL:
<https://savannah.gnu.org/bugs/?58585>
Summary: ssl-certificate for translation server
Project: GNU Health
Submitted by: coogor
Submitted on: Tue 16 Jun 2020 05:46:18 PM UTC
Category: Security
Severity: 4 - Important
Item Group: None
Status: None
Privacy: Public
Assigned to: meanmicio
Open/Closed: Open
Release: None
Discussion Lock: Any
Module: translate.gnusolidario.org
_______________________________________________________
Details:
translate.gnusolidario.org still misses a SSL certificate
1, /tmp/${lang_file} evaluates to e.g. /tmp/de.zip and is therefor
predictable. On systems with fs.protected_symlinks=0 this can be used to
overwrite arbitrary files
2, TRANSLATE_URL is a http URL and an active network attacker can change the
content of the downloaded file
3, The first wget writes the content to the file no matter if it already
exists. It also doesn't change the permissions. With that this can be used for
local privilege escalation (LPE).
_______________________________________________________
Reply to this item at:
<https://savannah.gnu.org/bugs/?58585>
_______________________________________________
Message sent via Savannah
https://savannah.gnu.org/
