Package: liblept5 Version: 1.73-2 Severity: important Tags: security Hi!
A discussion in the German Usenet group de.comp.os.unix.linux.misc, starting at MID:<nlppqc$frq$1...@news.albasani.net> revealed some serious security problems in leptonlib. (At least I think so.) The leptonlib-progs and more important the liblept5 library hardcode several predictable paths in /tmp and /tmp/lept: https://codesearch.debian.net/search?q=%22/tmp+package%3Aleptonlib+filetype%3Ac Not only would this allow a symlink attack (which is why I added the security tag) but since the code does not clean the created paths, if one user runs some program which uses liblept5, like tesseract-ocr, then no other user can use it, because /lib/lept/... exists belonging to the first user. In addition to that, the code seams to honor $TMPDIR but not in all places. For example the program /usr/bin/splitimage2pdf from leptonica-progs only works if $TMPDIR is not set or set to "/tmp", because while the getPathname() function _does_ use TMPDIR, if it is set, the codes in prog/splitimage2pdf hard codes the path "/tmp/junk_split_image.ps" as the path to call "ps2pdf" with later. If $TMPDIR is unset or set to /tmp, the codes leaves two predictably named files behind in /tmp: oweh@skuld:~$ ls -lrtc /tmp/junk* -rw-r--r-- 1 oweh oweh 277230 Jul 10 01:31 /tmp/junk_split_image.ps -rw-r--r-- 1 oweh oweh 1139 Jul 10 01:31 /tmp/junk_split_image.jpg Any other user now trying to use the program or programs using the liblept5 library will get errors. If $TMPDIR is set (for example my pam_tmpdir), those files are created in /tmp/user/<UID_OF_USER>, but some parts of the code don't honor this environment variable and expect the temporary files directly in /tmp or /tmp/lept. Things like this can be found all over the place and from looking at the code I am a bit frightended what a more indept audit might reveal. Grüße, Sven. -- System Information: Debian Release: stretch/sid APT prefers unstable-debug APT policy: (500, 'unstable-debug'), (500, 'unstable'), (400, 'testing'), (100, 'experimental'), (1, 'experimental-debug') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.6.0-1-amd64 (SMP w/12 CPU cores) Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages liblept5 depends on: ii libc6 2.23-1 ii libgif7 5.1.4-0.3 ii libjpeg62-turbo 1:1.5.0-1 ii libopenjp2-7 2.1.0-2.1+b1 ii libpng16-16 1.6.23-1 ii libtiff5 4.0.6-1 ii libwebp5 0.4.4-1.1 ii zlib1g 1:1.2.8.dfsg-2+b1 liblept5 recommends no packages. liblept5 suggests no packages. -- no debconf information