CVE-2024-34490

Vulnerability

Overview

The vulnerability in Maxima up to version 5.47.0 (prior to commit 51704c) lies in its plotting facilities, which create temporary files in the world-writable /tmp directory using predictable filenames [1]. The root cause is the lack of secure file creation mechanisms like mkstemp, making the filenames guessable (e.g., /tmp/maxout25041.gnuplot) [1].

Exploitation

A local attacker can pre-create files with the expected names in /tmp, thereby controlling their contents. Since /tmp is globally writable, the attacker can claim ownership and later inject malicious data or code into the plot files before Maxima opens them [1]. No special privileges beyond local system access are required.

Impact

Successful exploitation allows the attacker to alter the behavior of Maxima's plotting outputs. This could lead to code execution if the plot data is processed unsafely, or to information disclosure and denial of service via corrupted file content [1]. The issue affects all plotting functions, including plot2d.

Mitigation

The fix is available in Maxima commit 51704c, which should be applied by updating to the latest version [1]. Users of affected versions should avoid using Maxima in multi-user environments or restrict access to /tmp. No known workaround is documented, and the CVE is not listed in CISA KEV.