Security issue: Code injection due to insecure tmp file creation (Version <= 2.4.0)

[fluffysatoshi]

This is fixed in Version 2.4.1 (modernized File-system Interface uses O_EXCL to create files in the tmp folder).

I would suggest adding a security note to the 2.4.1 release notes.

Details

Jansi extracts a .so library to the global temp folder to implement it's terminal features via OS-depended native code.

It actually creates to files:

1. jansi-{random}.so.lck Lock file
2. jansi-{random}.so library file.

Although random is a secure random string which cannot be
predicted this approach creates a race condition between step 1 and
step 2.

The exploit watches for jansi-*lck file creation in the tmp
folder.
Once this file is created, it prepares a world-writable
jansi-{random}.so to get ahead of the Jansi Java program which
itself doesn't check if this file already exists and just overwrites
it (keeping it's world-writeable permissions).

Now the exploit watches for a CLOSE_NOWRITE event of the jansi-{random}.so
file and replaces this file via a atomic rename of its own jansi.so file.

Full details and PoC