From: Michael Paoli <michael1cat@yahoo.com> To: bugtraq@securityfocus.com Subject: Adobe Acrobat creates world writable ~/AdobeFnt.lst files Date: Wed, 22 Aug 2001 05:55:46 -0700 Cc: michael1cat@yahoo.com Adobe Acrobat creates world writable ~/AdobeFnt.lst files This problem is present in at least the Linux version: ftp://ftp.adobe.com/pub/adobe/acrobatreader/unix/4.x/linux-ar-405.tar.gz Even with umask as restrictive as 077, the Adobe binary explicitly creates and changes the AdobeFnt.lst file in the HOME directory to be world (and group) writable. Work-arounds are possible, such as by using wrapper script(s). Note that direct patching of the Adobe binary would apparently conflict with the Adobe license. Vendor notified: on or before 2001-03-02 references/excerpts: ftp://ftp.adobe.com/pub/adobe/acrobatreader/unix/4.x/linux-ar-405.tar.gz http://www.google.com/search?q=AdobeFnt.lst+security&btnG=Google+Search http://bugs.debian.org/acroread ftp://ftp.debian.org/debian/pool/non-free/a/acroread/acroread_4.05-4.diff.gz http://www.wiretrip.net/rfp/policy.html example work-around wrappers (use at your own risk, standard disclaimers apply ...): ######################################################################## if [ ! -e $HOME/AdobeFnt.lst ]; then # AcroRead will happily create a world writable AdobeFnt.lst ... trap "rm -f $HOME/AdobeFnt.lst" 0 ln -s /dev/null $HOME/AdobeFnt.lst fi ######################################################################## #wrapper stuff to work around world writable ~/AdobeFnt.lst issues #directory we'll use, relative to HOME, to work around the problem kludgedir=.AdobeFnt.security_kludge_dir #check HOME isn't null [ X"$HOME" != X ] || { 1>&2 echo "$0: HOME is unset or null - aborting" exit 1 } #if pathname for our kludge directory exists if >>/dev/null 2>&1 ls -d "$HOME/$kludgedir" then #check that it's properly secured 2>>/dev/null ls -lLd "$HOME/$kludgedir" | >>/dev/null 2>&1 grep '^d....--.--' || { #not properly secured, complain and exit 1>&2 echo "$0: found $HOME/$kludgedir but expecting directory with no group or world write or execute permissions - aborting" exit 1 } else #"$HOME/$kludgedir" doesn't exist, make it (umask 077 && mkdir -p "$HOME/$kludgedir") #we should have properly secure "$HOME/$kludgedir" at this point, verify 2>>/dev/null ls -lLd "$HOME/$kludgedir" | >>/dev/null 2>&1 grep '^d....--.--' || { 1>&2 echo "$0: unable to create properly secured $HOME/$kludgedir - aborting" exit 1 } fi #does "$HOME"/AdobeFnt.lst exist in any form? if >>/dev/null 2>&1 ls -d "$HOME"/AdobeFnt.lst then #"$HOME"/AdobeFnt.lst may already be set up properly - check if [ X"`2>>/dev/null ls -ld "$HOME"/AdobeFnt.lst | sed -ne 's/^l.* -> \(.*\)/\1/p'`" != X"$kludgedir"/AdobeFnt.lst ] then #it's not what we were hoping for ... is it ordinary file? if [ ! -L "$HOME"/AdobeFnt.lst -a -f "$HOME"/AdobeFnt.lst ] then rm -f "$HOME"/AdobeFnt.lst #is it gone? [ ! -f "$HOME"/AdobeFnt.lst ] || { 1>&2 echo "$0: failed to remove $HOME/AdobeFnt.lst file - aboring" exit 1 } ln -s "$kludgedir"/AdobeFnt.lst "$HOME"/AdobeFnt.lst #test that "$HOME"/AdobeFnt.lst has been set up properly [ X"`2>>/dev/null ls -ld "$HOME"/AdobeFnt.lst | sed -ne 's/^l.* -> \(.*\)/\1/p'`" = X"$kludgedir"/AdobeFnt.lst ] || { 1>&2 echo "$0: failed to create proper secure $HOME/AdobeFnt.lst - aborting" exit 1 } else 1>&2 echo "$0: $HOME/AdobeFnt.lst isn't set up as we need it, please remove it - aborting" exit 1 fi fi else ln -s "$kludgedir"/AdobeFnt.lst "$HOME"/AdobeFnt.lst #test that "$HOME"/AdobeFnt.lst has been set up properly [ X"`2>>/dev/null ls -ld "$HOME"/AdobeFnt.lst | sed -ne 's/^l.* -> \(.*\)/\1/p'`" = X"$kludgedir"/AdobeFnt.lst ] || { 1>&2 echo "$0: failed to create proper secure $HOME/AdobeFnt.lst - aborting" exit 1 } fi #we're done with the kludgedir shell variable unset kludgedir ######################################################################## _________________________________________________________ Do You Yahoo!? Get your free @yahoo.com address at http://mail.yahoo.com