SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   Adobe Acrobat/Reader Vendors:   Adobe Systems Incorporated
Adobe Acrobat Reader on Linux Creates World-Readable Font List Files Allowing Local Users to Deny Service to Acrobat Users
SecurityTracker Alert ID:  1002261
SecurityTracker URL:  http://securitytracker.com/id/1002261
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Aug 27 2001
Impact:   Denial of service via local system, Modification of user information
Exploit Included:  Yes  
Version(s): linux-ar-405.tar.gz; possibly others
Description:   A vulnerability was reported in the Adobe Acrobat reader for Linux that allows local users to deny service to Acrobat users.

It is reported that Adobe Acrobat reader creates world writable ~/AdobeFnt.lst font list files. The program explicitly creates and changes the AdobeFnt.lst file in the HOME directory to be world (and group) writable, regardless of the user's umask setting.

A local user can modify this file to point to invalid or malicious fonts that could cause Acrobat to crash. Other applications that user the AdobeFnt.list file (such as Photoshop) could also be affected.

Impact:   A local user can cause another user's Adobe Acrobat reader to crash.
Solution:   No vendor solution was available at the time of this entry. A workaround provided by the author is included in the Source Message.
Vendor URL:  www.adobe.com/ (Links to External Site)
Cause:   Access control error
Underlying OS:  Linux (Any), UNIX (Any)

Message History:   None.


 Source Message Contents

Subject:  Adobe Acrobat creates world writable ~/AdobeFnt.lst files


Adobe Acrobat creates world writable ~/AdobeFnt.lst files

This problem is present in at least the Linux version:
ftp://ftp.adobe.com/pub/adobe/acrobatreader/unix/4.x/linux-ar-405.tar.gz

Even with umask as restrictive as 077, the Adobe binary explicitly
creates and changes the AdobeFnt.lst file in the HOME directory to be
world (and group) writable.

Work-arounds are possible, such as by using wrapper script(s).  Note
that direct patching of the Adobe binary would apparently conflict with
the Adobe license.

Vendor notified: on or before 2001-03-02

references/excerpts:
ftp://ftp.adobe.com/pub/adobe/acrobatreader/unix/4.x/linux-ar-405.tar.gz
http://www.google.com/search?q=AdobeFnt.lst+security&btnG=Google+Search
http://bugs.debian.org/acroread
ftp://ftp.debian.org/debian/pool/non-free/a/acroread/acroread_4.05-4.diff.gz
http://www.wiretrip.net/rfp/policy.html

example work-around wrappers (use at your own risk, standard disclaimers
apply ...):
########################################################################
if [ ! -e $HOME/AdobeFnt.lst ]; then 
  # AcroRead will happily create a world writable AdobeFnt.lst ... 
  trap "rm -f $HOME/AdobeFnt.lst" 0 
  ln -s /dev/null $HOME/AdobeFnt.lst 
fi 
########################################################################
#wrapper stuff to work around world writable ~/AdobeFnt.lst issues

#directory we'll use, relative to HOME, to work around the problem
kludgedir=.AdobeFnt.security_kludge_dir

#check HOME isn't null
[ X"$HOME" != X ] || {
	1>&2 echo "$0: HOME is unset or null - aborting"
	exit 1
}

#if pathname for our kludge directory exists
if >>/dev/null 2>&1 ls -d "$HOME/$kludgedir"
then
	#check that it's properly secured
	2>>/dev/null ls -lLd "$HOME/$kludgedir" | >>/dev/null 2>&1 grep '^d....--.--' || {
		#not properly secured, complain and exit
		1>&2 echo "$0: found $HOME/$kludgedir but expecting directory with no group or world write or execute permissions - aborting"
		exit 1
	}
else
	#"$HOME/$kludgedir" doesn't exist, make it
	(umask 077 && mkdir -p "$HOME/$kludgedir")
	#we should have properly secure "$HOME/$kludgedir" at this point, verify
	2>>/dev/null ls -lLd "$HOME/$kludgedir" | >>/dev/null 2>&1 grep '^d....--.--' || {
		1>&2 echo "$0: unable to create properly secured $HOME/$kludgedir - aborting"
		exit 1
	}
fi

#does "$HOME"/AdobeFnt.lst exist in any form?
if >>/dev/null 2>&1 ls -d "$HOME"/AdobeFnt.lst
then
	#"$HOME"/AdobeFnt.lst may already be set up properly - check
	if [ X"`2>>/dev/null ls -ld "$HOME"/AdobeFnt.lst | sed -ne 's/^l.* -> \(.*\)/\1/p'`" != X"$kludgedir"/AdobeFnt.lst ]
	then
		#it's not what we were hoping for ... is it ordinary file?
		if [ ! -L "$HOME"/AdobeFnt.lst -a -f "$HOME"/AdobeFnt.lst ]
		then
			rm -f "$HOME"/AdobeFnt.lst
			#is it gone?
			[ ! -f "$HOME"/AdobeFnt.lst ] || {
				1>&2 echo "$0: failed to remove $HOME/AdobeFnt.lst file - aboring"
				exit 1
			}
			ln -s "$kludgedir"/AdobeFnt.lst "$HOME"/AdobeFnt.lst
			#test that "$HOME"/AdobeFnt.lst has been set up properly
			[ X"`2>>/dev/null ls -ld "$HOME"/AdobeFnt.lst | sed -ne 's/^l.* -> \(.*\)/\1/p'`" = X"$kludgedir"/AdobeFnt.lst ] || {
				1>&2 echo "$0: failed to create proper secure $HOME/AdobeFnt.lst - aborting"
				exit 1
			}
		else
			1>&2 echo "$0: $HOME/AdobeFnt.lst isn't set up as we need it, please remove it - aborting"
			exit 1
		fi
	fi
else
	ln -s "$kludgedir"/AdobeFnt.lst "$HOME"/AdobeFnt.lst
	#test that "$HOME"/AdobeFnt.lst has been set up properly
	[ X"`2>>/dev/null ls -ld "$HOME"/AdobeFnt.lst | sed -ne 's/^l.* -> \(.*\)/\1/p'`" = X"$kludgedir"/AdobeFnt.lst ] || {
		1>&2 echo "$0: failed to create proper secure $HOME/AdobeFnt.lst - aborting"
		exit 1
	}
fi

#we're done with the kludgedir shell variable
unset kludgedir
########################################################################

_________________________________________________________
Do You Yahoo!?
Get your free @yahoo.com address at http://mail.yahoo.com

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC