The AdobeFnt.lst file is actually comes from libCoolType.so.1 so there is
potential that other Adobe software that uses libCoolType.so.1 would
also be vulnerable to this bug.

I don't know if there is other stuff that uses libCoolType or not, but looking
at the symbol table it appears that it is a font library of sorts [I also
noticed that it was compiled with gcc ;-)].

It appears that the permissions are only set insecurely if the file
didn't already exist, so a very simple wrapper around AdobeFnt.lst that
created the file with good permissions first would probably suffice.

Using truss on Solaris I discovered that the creation of the AdobeFnt.lst
file in the users home directory is the only time that fchmod(fd, 0666) was
called so my previous LD_PRELOAD fix that circumvents Adobe's poor security
can be simplfied to just this (which I have compiled and tested):

#include <limits.h>
#include <sys/types.h>
#include <dlfcn.h>
#include <stdio.h>
#include <stdlib.h>

int fchmod(int fildes, mode_t mode)
{
        static int (*fptr)(int fildes, mode_t mode) = 0;

        if (fptr == 0) {
            fptr = (int (*)(int, mode_t))dlsym(RTLD_NEXT, "fchmod");
            if (fptr == NULL) {
                (void) printf("dlopen: %s\n", dlerror());
                return NULL;
            }
        }

        mode = 0600;

        return ((fptr)(fildes, mode));
}

--
Darren J Moffat

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]