The AdobeFnt.lst file is actually comes from libCoolType.so.1 so there is
potential that other Adobe software that uses libCoolType.so.1 would
also be vulnerable to this bug.
I don't know if there is other stuff that uses libCoolType or not, but looking
at the symbol table it appears that it is a font library of sorts [I also
noticed that it was compiled with gcc ;-)].
It appears that the permissions are only set insecurely if the file
didn't already exist, so a very simple wrapper around AdobeFnt.lst that
created the file with good permissions first would probably suffice.
Using truss on Solaris I discovered that the creation of the AdobeFnt.lst
file in the users home directory is the only time that fchmod(fd, 0666) was
called so my previous LD_PRELOAD fix that circumvents Adobe's poor security
can be simplfied to just this (which I have compiled and tested):
#include <limits.h>
#include <sys/types.h>
#include <dlfcn.h>
#include <stdio.h>
#include <stdlib.h>
int fchmod(int fildes, mode_t mode)
{
static int (*fptr)(int fildes, mode_t mode) = 0;
if (fptr == 0) {
fptr = (int (*)(int, mode_t))dlsym(RTLD_NEXT, "fchmod");
if (fptr == NULL) {
(void) printf("dlopen: %s\n", dlerror());
return NULL;
}
}
mode = 0600;
return ((fptr)(fildes, mode));
}
--
Darren J Moffat
This archive was generated by hypermail 2b30 : Thu Aug 23 2001 - 13:19:32 PDT