In-Reply-To: <200206242133.g5OLXgS78108@milan.maths.usyd.edu.au> <psz@maths.usyd.edu.au (Paul Szabo)> wrote [...] >Acroread creates or overwrites the file /tmp/AdobeFnt06.lst.UID, and >changes its permissions to wide open (mode 666); it also follows >symlinks. The attack is obvious: > > ln -s ~victim/.bashrc /tmp/AdobeFnt06.lst.VUID > >and wait for victim to use acroread; then we can write his .bashrc. Adobe claims to have fixed this in 5.06: README: | New for Acrobat Reader 5.0.6 | | A security patch was applied that solves the problem | reported in http://online.securityfocus.com/archive/1/278984 where | opening the font cache when the application starts up | can unintentionally cause the permissions of other | files to change. cu andreas
