You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Description
Zim creates temporary directories with predictable names. A malicious user could predict and create Zim's temporary directories and prevent other users from being able to start Zim, resulting in a denial of service.
Steps to Reproduce
Create two users: user1 and user2.
As user1: mkdir /tmp/zim-user2
As user2:
Start Zim
Zim will attempt to change the permissions of /tmp/user2 to 0700. Because /tmp/user2 is actually owned by user1, the call to os.chmod() will fail and Zim will crash.
Workaround
An affected user can set the $TMP or $TMPDIR environment variables to point to somewhere that is not world-writable (e.g. /home/USER/tmp).
Version Affected
0.42-beta1 and later
Operating System
Linux
Severity
Low
The text was updated successfully, but these errors were encountered:
Description
Zim creates temporary directories with predictable names. A malicious user could predict and create Zim's temporary directories and prevent other users from being able to start Zim, resulting in a denial of service.
Steps to Reproduce
mkdir /tmp/zim-user2
Start Zim
Zim will attempt to change the permissions of /tmp/user2 to 0700. Because /tmp/user2 is actually owned by user1, the call to
os.chmod()
will fail and Zim will crash.Workaround
An affected user can set the $TMP or $TMPDIR environment variables to point to somewhere that is not world-writable (e.g.
/home/USER/tmp
).Version Affected
0.42-beta1 and later
Operating System
Linux
Severity
Low
The text was updated successfully, but these errors were encountered: