The AdobeFnt.lst file is actually comes from libCoolType.so.1 so there is potential that other Adobe software that uses libCoolType.so.1 would also be vulnerable to this bug. I don't know if there is other stuff that uses libCoolType or not, but looking at the symbol table it appears that it is a font library of sorts [I also noticed that it was compiled with gcc ;-)]. It appears that the permissions are only set insecurely if the file didn't already exist, so a very simple wrapper around AdobeFnt.lst that created the file with good permissions first would probably suffice. Using truss on Solaris I discovered that the creation of the AdobeFnt.lst file in the users home directory is the only time that fchmod(fd, 0666) was called so my previous LD_PRELOAD fix that circumvents Adobe's poor security can be simplfied to just this (which I have compiled and tested): #include <limits.h> #include <sys/types.h> #include <dlfcn.h> #include <stdio.h> #include <stdlib.h> int fchmod(int fildes, mode_t mode) { static int (*fptr)(int fildes, mode_t mode) = 0; if (fptr == 0) { fptr = (int (*)(int, mode_t))dlsym(RTLD_NEXT, "fchmod"); if (fptr == NULL) { (void) printf("dlopen: %s\n", dlerror()); return NULL; } } mode = 0600; return ((fptr)(fildes, mode)); } -- Darren J Moffat
This archive was generated by hypermail 2b30 : Thu Aug 23 2001 - 13:19:32 PDT