[22368] in bugtraq
Adobe Acrobat creates world writable ~/AdobeFnt.lst files
daemon@ATHENA.MIT.EDU (Michael Paoli)
Wed Aug 22 10:39:29 2001
X-Apparently-From: <michael1cat@yahoo.com>
Message-ID: <3B83ABD1.E1C10330@yahoo.com>
Date: Wed, 22 Aug 2001 05:55:46 -0700
From: Michael Paoli <michael1cat@yahoo.com>
MIME-Version: 1.0
To: bugtraq@securityfocus.com
Cc: michael1cat@yahoo.com
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Adobe Acrobat creates world writable ~/AdobeFnt.lst files
This problem is present in at least the Linux version:
ftp://ftp.adobe.com/pub/adobe/acrobatreader/unix/4.x/linux-ar-405.tar.gz
Even with umask as restrictive as 077, the Adobe binary explicitly
creates and changes the AdobeFnt.lst file in the HOME directory to be
world (and group) writable.
Work-arounds are possible, such as by using wrapper script(s). Note
that direct patching of the Adobe binary would apparently conflict with
the Adobe license.
Vendor notified: on or before 2001-03-02
references/excerpts:
ftp://ftp.adobe.com/pub/adobe/acrobatreader/unix/4.x/linux-ar-405.tar.gz
http://www.google.com/search?q=AdobeFnt.lst+security&btnG=Google+Search
http://bugs.debian.org/acroread
ftp://ftp.debian.org/debian/pool/non-free/a/acroread/acroread_4.05-4.diff.gz
http://www.wiretrip.net/rfp/policy.html
example work-around wrappers (use at your own risk, standard disclaimers
apply ...):
########################################################################
if [ ! -e $HOME/AdobeFnt.lst ]; then
# AcroRead will happily create a world writable AdobeFnt.lst ...
trap "rm -f $HOME/AdobeFnt.lst" 0
ln -s /dev/null $HOME/AdobeFnt.lst
fi
########################################################################
#wrapper stuff to work around world writable ~/AdobeFnt.lst issues
#directory we'll use, relative to HOME, to work around the problem
kludgedir=.AdobeFnt.security_kludge_dir
#check HOME isn't null
[ X"$HOME" != X ] || {
1>&2 echo "$0: HOME is unset or null - aborting"
exit 1
}
#if pathname for our kludge directory exists
if >>/dev/null 2>&1 ls -d "$HOME/$kludgedir"
then
#check that it's properly secured
2>>/dev/null ls -lLd "$HOME/$kludgedir" | >>/dev/null 2>&1 grep '^d....--.--' || {
#not properly secured, complain and exit
1>&2 echo "$0: found $HOME/$kludgedir but expecting directory with no group or world write or execute permissions - aborting"
exit 1
}
else
#"$HOME/$kludgedir" doesn't exist, make it
(umask 077 && mkdir -p "$HOME/$kludgedir")
#we should have properly secure "$HOME/$kludgedir" at this point, verify
2>>/dev/null ls -lLd "$HOME/$kludgedir" | >>/dev/null 2>&1 grep '^d....--.--' || {
1>&2 echo "$0: unable to create properly secured $HOME/$kludgedir - aborting"
exit 1
}
fi
#does "$HOME"/AdobeFnt.lst exist in any form?
if >>/dev/null 2>&1 ls -d "$HOME"/AdobeFnt.lst
then
#"$HOME"/AdobeFnt.lst may already be set up properly - check
if [ X"`2>>/dev/null ls -ld "$HOME"/AdobeFnt.lst | sed -ne 's/^l.* -> \(.*\)/\1/p'`" != X"$kludgedir"/AdobeFnt.lst ]
then
#it's not what we were hoping for ... is it ordinary file?
if [ ! -L "$HOME"/AdobeFnt.lst -a -f "$HOME"/AdobeFnt.lst ]
then
rm -f "$HOME"/AdobeFnt.lst
#is it gone?
[ ! -f "$HOME"/AdobeFnt.lst ] || {
1>&2 echo "$0: failed to remove $HOME/AdobeFnt.lst file - aboring"
exit 1
}
ln -s "$kludgedir"/AdobeFnt.lst "$HOME"/AdobeFnt.lst
#test that "$HOME"/AdobeFnt.lst has been set up properly
[ X"`2>>/dev/null ls -ld "$HOME"/AdobeFnt.lst | sed -ne 's/^l.* -> \(.*\)/\1/p'`" = X"$kludgedir"/AdobeFnt.lst ] || {
1>&2 echo "$0: failed to create proper secure $HOME/AdobeFnt.lst - aborting"
exit 1
}
else
1>&2 echo "$0: $HOME/AdobeFnt.lst isn't set up as we need it, please remove it - aborting"
exit 1
fi
fi
else
ln -s "$kludgedir"/AdobeFnt.lst "$HOME"/AdobeFnt.lst
#test that "$HOME"/AdobeFnt.lst has been set up properly
[ X"`2>>/dev/null ls -ld "$HOME"/AdobeFnt.lst | sed -ne 's/^l.* -> \(.*\)/\1/p'`" = X"$kludgedir"/AdobeFnt.lst ] || {
1>&2 echo "$0: failed to create proper secure $HOME/AdobeFnt.lst - aborting"
exit 1
}
fi
#we're done with the kludgedir shell variable
unset kludgedir
########################################################################
_________________________________________________________
Do You Yahoo!?
Get your free @yahoo.com address at http://mail.yahoo.com
