Bug List: (This bug is not in your last search results)   Show last search results      Search page      Enter new bug
Bug#: 252734
Alias:
Product:
Component:
Status: RESOLVED
Resolution: FIXED
Assigned To: Gentoo Security <security@gentoo.org>
Hardware:
OS:
Version:
Priority:
Severity:
Reporter: Robert Buchholz <rbu@gentoo.org>
Add CC:
CC:
Remove selected CCs
URL:
Summary:
Status Whiteboard:
Keywords:
Flags: Requestee:
 
 
  ()

Filename Description Type Creator Created Size Actions
pdfjam-security.patch Patch to fix two security issues and the non-POSIXness patch Martin Väth 2008-12-28 11:40 0000 3.80 KB Details | Diff
Create a New Attachment (proposed patch, testcase, etc.) View All

Bug 252734 depends on: Show dependency tree
Bug 252734 blocks:

Additional Comments: (this is where you put emerge --info)


Not eligible to see or edit group visibility for this bug.






View Bug Activity   |   Format For Printing   |   XML   |   Clone This Bug

Description:   Opened: 2008-12-27 18:51 0000 
CVE-2008-5743 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-5743):
  pdfjam creates the (1) pdf90, (2) pdfjoin, and (3) pdfnup files with
  a predictable name, which allows local users to overwrite arbitrary
  files via a symlink attack.

------- Comment #1 From Robert Buchholz 2008-12-27 18:53:08 0000 ------- 
I wonder if other packages bundle this code?

------- Comment #2 From Martin Väth 2008-12-28 11:40:09 0000 ------- 
Created an attachment (id=176591) [details]
Patch to fix two security issues and the non-POSIXness

Actually there is a much more severe security issue in pdfjam:
In the default setting it puts the current directory into PATH (because
pdflatex has an empty dirname which is put at the beginning of PATH).

The attached patch fixes both security issues, for simplicity requiring that
"mktemp -d" is available and working.

In addition, it replaces the non-POSIX "source" by ".": Since the scripts are
#!/bin/sh and not #!/bin/bash the should be at least POSIX-conformal (these
scripts would otherwise break in gentoo if /bin/sh is a symlink to dash).

------- Comment #3 From Robert Buchholz 2008-12-28 13:48:54 0000 ------- 
This is even worse since the script changes to the tempdir before calling
pdflatex:
  cd "$tempfileDir"
  "$pdflatex" --interaction batchmode "$texFile" > "$msgFile"

So you could either prepare a (e.g.) sed executable in $PWD or a pdflatex
executable in /var/tmp. The patch looks fine to me, please bump.

------- Comment #4 From Robert Buchholz 2008-12-28 14:04:33 0000 ------- 
(In reply to comment #1)
> I wonder if other packages bundle this code?

Just checked, could not find a copy of any of those scripts in our distfiles.

------- Comment #5 From Stefan Behte 2009-01-13 23:06:06 0000 ------- 
A CVE was assigned:

Name:      CVE-2008-5843
URL:       http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5843
Published: 2009-01-05
Severity:  Medium
Description:

Multiple untrusted search path vulnerabilities in pdfjam allow local
users to gain privileges via a Trojan horse program in (1) the current
working directory or (2) /var/tmp, related to the (a) pdf90, (b)
pdfjoin, and (c) pdfnup scripts.

------- Comment #6 From Robert Buchholz 2009-01-14 14:11:05 0000 ------- 
tex herd, please apply the patch.

------- Comment #7 From Alexis Ballier 2009-01-15 07:06:41 0000 ------- 
applied in -r1, thanks Martin for the patch

------- Comment #8 From Robert Buchholz 2009-01-15 12:05:39 0000 ------- 
Arches, please test and mark stable:
=app-text/pdfjam-1.20-r1
Target keywords : "amd64 ppc x86"

------- Comment #9 From Robert Buchholz 2009-01-15 12:07:17 0000 ------- 
Alexis, did you send the patch upstream as well? If not, I can do that.

------- Comment #10 From Markus Meier 2009-01-15 22:01:20 0000 ------- 
amd64/x86 stable

------- Comment #11 From Alexis Ballier 2009-01-16 10:41:20 0000 ------- 
(In reply to comment #9)
> Alexis, did you send the patch upstream as well? If not, I can do that.

Nope I didn't, I assumed Martin did.

------- Comment #12 From Robert Buchholz 2009-01-16 12:02:23 0000 ------- 
Mailed upstream.

------- Comment #13 From Tobias Scherbaum 2009-01-18 11:12:11 0000 ------- 
ppc stable, ready for glsa.

------- Comment #14 From Robert Buchholz 2009-01-20 04:11:16 0000 ------- 
Upstream merged the patch and released 1.21.

------- Comment #15 From Alexis Ballier 2009-01-20 07:52:29 0000 ------- 
(In reply to comment #14)
> Upstream merged the patch and released 1.21.

and bumped, thanks for the notice

------- Comment #16 From Robert Buchholz 2009-03-07 16:23:27 0000 ------- 
GLSA 200903-05
Bug List: (This bug is not in your last search results)   Show last search results      Search page      Enter new bug