Package: wyrd Version: 1.4.3b-3 Severity: grave Tags: security Hi, while searching for a cool calendar software I tried out wyrd and noticed a wyrd file in /tmp that didn't look very random. Looking at the source code it turns out that wyrd dumps its configuration if you press ? (help) in the ui. It then stores a file named wyrd-tmp.<userid> in /tmp.
rcfile.ml: 139 let tmpfile = "/tmp/wyrd-tmp." ^ (string_of_int (Unix.getuid ())) An attacker only needs to look up the userid in /etc/passwd and create a symlink from /home/victim/someimportantfile /tmp/wyrd-tmp.uid and this will overwrite the content with the wyrd configuration. Unfortunately I have no idea about ML programming so I don't have a solution for this. A CVE id for this is pending. Kind regards Nico -- Nico Golde - http://www.ngolde.de - [EMAIL PROTECTED] - GPG: 0x73647CFF For security reasons, all text in this mail is double-rot13 encrypted.
pgp0vXqn2tfLL.pgp
Description: PGP signature
