oss-sec mailing list archives

CVE Request: texlive: insecure use of /tmp in mktexlsr

From: Vasyl Kaigorodov <vkaigoro () redhat com>
Date: Thu, 23 Apr 2015 17:19:25 +0200

Hello,

I would like to request a CVE for the following issue:

mktexlsr script uses /tmp in an insecure way.
From the original Debian bug report:
"""
This is how mktexlsr uses temporary files (with boring parts snipped):

treefile="${TMPDIR-/tmp}/mktexlsrtrees$$.tmp"
# ...
while test $# -gt 0; do
   # ...
   (umask 077
   if echo "$1" >>"$treefile"; then :; else
     echo "$progname: $treefile: could not append to arg file,
goodbye." >&2
     exit 1
   fi
   # ...
done


This is insecure because the filename is predictable and, more 
importantly, the program doesn't fail atomically if the file already 
exists.
"""

References:
  https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=775139
  https://bugzilla.redhat.com/show_bug.cgi?id=1181167

Thanks.
-- 
Vasyl Kaigorodov | Red Hat Product Security
PGP:  0xABB6E828 A7E0 87FF 5AB5 48EB 47D0 2868 217B F9FC ABB6 E828

Come talk to Red Hat Product Security at the Summit!
Red Hat Summit 2015 - https://www.redhat.com/summit/

Attachment: _bin
Description:

Current thread:

CVE Request: texlive: insecure use of /tmp in mktexlsr Vasyl Kaigorodov (Apr 23)