hello Yiheng Cao,
thanks for your report, the function newTempOdfDirectory you found in
odfdom-java 0.8.6 does indeed look problematic.
the vulnerable function newTempOdfDirectory does not exist in the
current odftoolkit version 0.10, and it also does not exist in the
previous version 0.9.
all earlier versions are unsupported, there will not be a patch release
for 0.8.6.
it turns out the function newTempOdfDirectory was removed in 2011 with
commit c6ef281fa737c0d38f72b5604342991157e69c2c
https://github.com/tdf/odftoolkit/commit/c6ef281fa737c0d38f72b5604342991157e69c2c
also, please note that there is a mailing list for reporting security
issues in "The Document Foundation" projects that also covers the ODF
Toolkit project, it is: security@documentfoundation.org
(... possibly we need to document this better on the website)
regards,
michael
On 17/08/2023 13:12, Yiheng Cao wrote:
Hi there,
I may have discovered a method in org.odftoolkit : odfdom-java : 0.8.6 which has
Temporary Directory Vulnerability. The vulnerability is located in the method newTempOdfDirectory from class
org.odftoolkit.odfdom.pkg.TempDir The vulnerability bears similarities to a recent CVE disclosure CVE-2022-3969 in the
"Document Management System" project.
Vulnerability Details:
CVE Identifier: CVE-2022-3969
Description: A vulnerability was found in OpenKM up to 6.3.11 and classified as problematic.
Affected by this issue is the function getFileExtension of the file
src/main/java/com/openkm/util/FileUtils.java. The manipulation leads to insecure temporary file.
Upgrading to version 6.3.12 is able to address this issue. The name of the patch is
c069e4d73ab8864345c25119d8459495f45453e1. It is recommended to upgrade the affected component. The
identifier of this vulnerability is VDB-213548.
Reference: https://nvd.nist.gov/vuln/detail/CVE-2022-3969 Vulnerability
Description: The vulnerability is present in the org.odftoolkit.odfdom.pkg.TempDir class, specifically in the
newTempOdfDirectory function. This function is responsible for handling temporary directories. A chain of calls involving
File.createTempFile() -> file.delete() -> either file.mkdir() or file.mkdirs() has been detected, leaving the library exposed to
Temporary Directory Hijacking or Information Disclosure attacks.
Library Usage:
The org.odftoolkit : odfdom-java : 0.8.6 has 44 usages according
to Maven Repository and rank 8580 in MvnRepository. Besides, according to data from library.io, this specific version, 0.8.6, stands out
as the most prevalent, with an impressive utilization rate of 33.88% among all libraries that incorporate
"org.odftoolkit:odfdom-java". Due to the extensive adoption of this library, the identified vulnerability poses the potential
for far-reaching consequences.
Recommended Actions:
To address this issue, I suggest the following actions:
1. Apply Patch: Refer to the patch provided by the "Document Management
System" project, which shares similarities with this vulnerability. The patch can be found at the following link:
https://github.com/openkm/document-management-system/commit/c069e4d73ab8864345c25119d8459495f45453e1.
2. Review GitHub Pull Request: Study the detailed description of the
vulnerability and the proposed fix in the "Document Management System" project's GitHub pull request:
https://github.com/openkm/document-management-system/pull/332.
I understand the importance of responsible disclosure, and I am
willing to cooperate with your team throughout the process of fixing and verifying the vulnerability. If you require
any further information or assistance, please do not hesitate to reach out to me.
Thank you and looking forward to hearing from you soon.
--
To unsubscribe e-mail to: dev+unsubscribe@odftoolkit.org
Problems? https://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/
Posting guidelines + more: https://wiki.documentfoundation.org/Netiquette
List archive: https://listarchives.odftoolkit.org/dev/
Privacy Policy: https://www.documentfoundation.org/privacy
Context
Privacy Policy |
Impressum (Legal Info) |
Copyright information: Unless otherwise specified, all text and images
on this website are licensed under the
Creative Commons Attribution-Share Alike 3.0 License.
This does not include the source code of LibreOffice, which is
licensed under the Mozilla Public License (
MPLv2).
"LibreOffice" and "The Document Foundation" are
registered trademarks of their corresponding registered owners or are
in actual use as trademarks in one or more countries. Their respective
logos and icons are also subject to international copyright laws. Use
thereof is explained in our
trademark policy.