Package: libid3-3.8.3c2a
Version: 3.8.3-6
Severity: grave
Tags: security
Justification: user security hole
Hi,
when tagging file $foo, a temporary copy of the file is created, and for some
reason, libid3 doesn't use mkstemp but just creates $foo.XXXXXX literally,
without any checking.
This would silently truncate and overwrite an existing $foo.XXXXXX.
,----[ src/tag_file.cpp ]
| 233 String filename = tag.GetFileName();
| 234 String sTmpSuffix = ".XXXXXX";
| 235 if (filename.size() + sTmpSuffix.size() > ID3_PATH_LENGTH)
| 236 {
| 237 // log this
| 238 return 0;
| 239 //ID3_THROW_DESC(ID3E_NoFile, "filename too long");
| 240 }
| 241 char sTempFile[ID3_PATH_LENGTH];
| 242 strcpy(sTempFile, filename.c_str());
| 243 strcat(sTempFile, sTmpSuffix.c_str());
| 244
| 245 #if ((defined(__GNUC__) && __GNUC__ >= 3 ) || !defined(HAVE_MKSTEMP))
| 246 // This section is for Windows folk && gcc 3.x folk
| 247 fstream tmpOut;
| 248 createFile(sTempFile, tmpOut);
`----
HAND,
Nikolaus
-- System Information:
Debian Release: 4.0
APT prefers stable
APT policy: (500, 'stable')
Architecture: i386 (i686)
Shell: /bin/sh linked to /bin/bash
Kernel: Linux 2.6.18-5-k7
Locale: [EMAIL PROTECTED], [EMAIL PROTECTED] (charmap=ISO-8859-15)
Versions of packages libid3-3.8.3c2a depends on:
ii libc6 2.3.6.ds1-13etch2 GNU C Library: Shared libraries
ii libgcc1 1:4.1.1-21 GCC support library
ii libstdc++6 4.1.1-21 The GNU Standard C++ Library v3
ii zlib1g 1:1.2.3-13 compression library - runtime
libid3-3.8.3c2a recommends no packages.
-- no debconf information
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
