Security issue with usage of /tmp for caching ( CVE-2015-3649 ) #8
Description
This gem is susceptible to a attack of code execution due to its usage of fixed directory in /tmp and yaml without using safe_load. So since the name is predictible in the default configuration and no check are done on owner or permission.
So someone could create ahead of time a directory /tmp/openuri-$targetuid/ with 777 permissions, precreate directories for the host to contact ( or just wait until the directory is created and rename it, thanks to 777 permissions ) and with proper permissions, wait until a meta file is created, and
replace it with one containing ruby code to be executed when loaded by YAML.load, as it doesn't use safe loader for yaml
( http://www.benjaminfleischer.com/2013/03/20/yaml-and-security-in-ruby/ ).
See http://www.openwall.com/lists/oss-security/2015/05/05/14
and http://www.openwall.com/lists/oss-security/2015/05/06/2 for details.
The ID CVE-2015-3649 have been assigned to that issue.
There is various fixes. For one, using $XDG_RUNTIME_DIR when defined fix the issue on Linux systems. Verify the permissions of the meta file and the owner would also prevent the issue.