![[LWN Logo]](/images/lcorner.png) |
|
![[LWN.net]](/images/Included.png) |
From: Darren Moffat <Darren.Moffat@eng.sun.com>
To: bugtraq@securityfocus.com, michael1cat@yahoo.com
Subject: Re: Adobe Acrobat creates world writable ~/AdobeFnt.lst files
Date: Wed, 22 Aug 2001 10:35:07 -0700 (PDT)
>Adobe Acrobat creates world writable ~/AdobeFnt.lst files
>
>This problem is present in at least the Linux version:
>ftp://ftp.adobe.com/pub/adobe/acrobatreader/unix/4.x/linux-ar-405.tar.gz
>
>Even with umask as restrictive as 077, the Adobe binary explicitly
>creates and changes the AdobeFnt.lst file in the HOME directory to be
>world (and group) writable.
What anoys me almost as much as ignoring the umask is that this file
is placed directly into $HOME and isn't a "." file.
>Vendor notified: on or before 2001-03-02
I notified Adobe of this on October 27th 1999 and never got any reply,
see attached.
Another possible workaround would be to create a shared object that
replaced the open/chmod calls that change the permissions on the file,
this could then be LD_PRELOAD'd so that acroread doesn't do the wrong thing.
Using truss on Solaris we can easily see that acroread actually makes
an explicit call to set the permissions to 0666.
251032: open("/home/darrenm/AdobeFnt.lst", O_WRONLY|O_CREAT|O_TRUNC, 01) = 6
251032: fchmod(6, 0666)
--
Darren J Moffat
------------- Begin Included Message -------------
From darrenm Wed Oct 27 10:08:37 1999
Date: Wed, 27 Oct 1999 10:08:37 +0100 (BST)
From: Darren Moffat - Solaris Sustaining Engineering <darrenm@otis.uk>
Subject: Acrobat Reader 4.0 for Solaris
To: security@adobe.com
X-Mailer: dtmail 1.3.0 @(#)CDE Version 1.4_33 SunOS 5.8 sun4u sparc
Mime-Version: 1.0
Content-Type: TEXT/plain; charset=us-ascii
Content-MD5: vU9ym6j5UvaH9PQ8ueMX+A==
Content-Length: 654
Status: O
X-Status: $$$$
X-UID: 0000000176
When starting the Acrobat Reader 4.0 for the first time a new file
called AdobeFnt.lst is created in the users home directory. This file
is created with world writeable permissions (666).
Given that this file contains font mappings, this is a security hole as
it would allow someone else to replace your font definitions thus making
the documents appear different to what the author intended.
While you are fixing this security hole, may I suggest that you put the
file in a less obtrusive place. Dumping non "." files in a users home
directory is considered very bad form in UNIX.
Thanks
--
Darren J Moffat
Solaris Software Sustaining Engineering
------------- End Included Message -------------