[LWN Logo]
[LWN.net]
From:	 Michael Paoli <michael1cat@yahoo.com>
To:	 bugtraq@securityfocus.com
Subject: Adobe Acrobat creates world writable ~/AdobeFnt.lst files
Date:	 Wed, 22 Aug 2001 05:55:46 -0700
Cc:	 michael1cat@yahoo.com

Adobe Acrobat creates world writable ~/AdobeFnt.lst files

This problem is present in at least the Linux version:
ftp://ftp.adobe.com/pub/adobe/acrobatreader/unix/4.x/linux-ar-405.tar.gz

Even with umask as restrictive as 077, the Adobe binary explicitly
creates and changes the AdobeFnt.lst file in the HOME directory to be
world (and group) writable.

Work-arounds are possible, such as by using wrapper script(s).  Note
that direct patching of the Adobe binary would apparently conflict with
the Adobe license.

Vendor notified: on or before 2001-03-02

references/excerpts:
ftp://ftp.adobe.com/pub/adobe/acrobatreader/unix/4.x/linux-ar-405.tar.gz
http://www.google.com/search?q=AdobeFnt.lst+security&btnG=Google+Search
http://bugs.debian.org/acroread
ftp://ftp.debian.org/debian/pool/non-free/a/acroread/acroread_4.05-4.diff.gz
http://www.wiretrip.net/rfp/policy.html

example work-around wrappers (use at your own risk, standard disclaimers
apply ...):
########################################################################
if [ ! -e $HOME/AdobeFnt.lst ]; then 
  # AcroRead will happily create a world writable AdobeFnt.lst ... 
  trap "rm -f $HOME/AdobeFnt.lst" 0 
  ln -s /dev/null $HOME/AdobeFnt.lst 
fi 
########################################################################
#wrapper stuff to work around world writable ~/AdobeFnt.lst issues

#directory we'll use, relative to HOME, to work around the problem
kludgedir=.AdobeFnt.security_kludge_dir

#check HOME isn't null
[ X"$HOME" != X ] || {
	1>&2 echo "$0: HOME is unset or null - aborting"
	exit 1
}

#if pathname for our kludge directory exists
if >>/dev/null 2>&1 ls -d "$HOME/$kludgedir"
then
	#check that it's properly secured
	2>>/dev/null ls -lLd "$HOME/$kludgedir" | >>/dev/null 2>&1 grep '^d....--.--' || {
		#not properly secured, complain and exit
		1>&2 echo "$0: found $HOME/$kludgedir but expecting directory with no group or world write or execute permissions - aborting"
		exit 1
	}
else
	#"$HOME/$kludgedir" doesn't exist, make it
	(umask 077 && mkdir -p "$HOME/$kludgedir")
	#we should have properly secure "$HOME/$kludgedir" at this point, verify
	2>>/dev/null ls -lLd "$HOME/$kludgedir" | >>/dev/null 2>&1 grep '^d....--.--' || {
		1>&2 echo "$0: unable to create properly secured $HOME/$kludgedir - aborting"
		exit 1
	}
fi

#does "$HOME"/AdobeFnt.lst exist in any form?
if >>/dev/null 2>&1 ls -d "$HOME"/AdobeFnt.lst
then
	#"$HOME"/AdobeFnt.lst may already be set up properly - check
	if [ X"`2>>/dev/null ls -ld "$HOME"/AdobeFnt.lst | sed -ne 's/^l.* -> \(.*\)/\1/p'`" != X"$kludgedir"/AdobeFnt.lst ]
	then
		#it's not what we were hoping for ... is it ordinary file?
		if [ ! -L "$HOME"/AdobeFnt.lst -a -f "$HOME"/AdobeFnt.lst ]
		then
			rm -f "$HOME"/AdobeFnt.lst
			#is it gone?
			[ ! -f "$HOME"/AdobeFnt.lst ] || {
				1>&2 echo "$0: failed to remove $HOME/AdobeFnt.lst file - aboring"
				exit 1
			}
			ln -s "$kludgedir"/AdobeFnt.lst "$HOME"/AdobeFnt.lst
			#test that "$HOME"/AdobeFnt.lst has been set up properly
			[ X"`2>>/dev/null ls -ld "$HOME"/AdobeFnt.lst | sed -ne 's/^l.* -> \(.*\)/\1/p'`" = X"$kludgedir"/AdobeFnt.lst ] || {
				1>&2 echo "$0: failed to create proper secure $HOME/AdobeFnt.lst - aborting"
				exit 1
			}
		else
			1>&2 echo "$0: $HOME/AdobeFnt.lst isn't set up as we need it, please remove it - aborting"
			exit 1
		fi
	fi
else
	ln -s "$kludgedir"/AdobeFnt.lst "$HOME"/AdobeFnt.lst
	#test that "$HOME"/AdobeFnt.lst has been set up properly
	[ X"`2>>/dev/null ls -ld "$HOME"/AdobeFnt.lst | sed -ne 's/^l.* -> \(.*\)/\1/p'`" = X"$kludgedir"/AdobeFnt.lst ] || {
		1>&2 echo "$0: failed to create proper secure $HOME/AdobeFnt.lst - aborting"
		exit 1
	}
fi

#we're done with the kludgedir shell variable
unset kludgedir
########################################################################

_________________________________________________________
Do You Yahoo!?
Get your free @yahoo.com address at http://mail.yahoo.com