Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 169377 - app-text/tetex: System exploitable because of tetex permissions?
Summary: app-text/tetex: System exploitable because of tetex permissions?
Status: RESOLVED INVALID
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Security
URL: http://my.opera.com/taviso/blog/show....
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2007-03-04 22:58 UTC by Sebastian
Modified: 2007-03-05 21:13 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Sebastian 2007-03-04 22:58:03 UTC 
Hi all,

I read Tavis Ormandy's blog entry about suid exploits some time ago. Link is above. I looked out for directories on my system that a user has write access to and that are not on extra partitions mounted nosuid.

Here's the list:

/usr/share/texmf/fonts
/usr/share/texmf/fonts/tfm
/usr/share/texmf/fonts/tfm/hoekwater
/usr/share/texmf/fonts/tfm/hoekwater/context
/usr/share/texmf/fonts/tfm/bh
/usr/share/texmf/fonts/tfm/bh/lucidfax
/usr/share/texmf/fonts/tfm/bh/lumath
/usr/share/texmf/fonts/tfm/bh/lucida
/usr/share/texmf/fonts/tfm/bh/lucsans
/usr/share/texmf/fonts/tfm/bh/lubright
/usr/share/texmf/fonts/tfm/cg
/usr/share/texmf/fonts/tfm/cg/helvetic
/usr/share/texmf/fonts/tfm/cg/lettrgth
/usr/share/texmf/fonts/tfm/cg/garamond
/usr/share/texmf/fonts/tfm/cg/marigold
/usr/share/texmf/fonts/tfm/cg/wingding
/usr/share/texmf/fonts/tfm/cg/albertus
/usr/share/texmf/fonts/tfm/cg/coronet
/usr/share/texmf/fonts/tfm/cg/courier
/usr/share/texmf/fonts/tfm/cg/univers
/usr/share/texmf/fonts/tfm/cg/timesnew
/usr/share/texmf/fonts/tfm/cg/clarendo
/usr/share/texmf/fonts/tfm/cg/times
/usr/share/texmf/fonts/tfm/cg/atqolive
/usr/share/texmf/fonts/tfm/cg/symbol
/usr/share/texmf/fonts/tfm/cg/optima
/usr/share/texmf/fonts/tfm/public
/usr/share/texmf/fonts/tfm/public/pxfonts
/usr/share/texmf/fonts/tfm/public/vnr
/usr/share/texmf/fonts/tfm/public/concrete
/usr/share/texmf/fonts/tfm/public/ecc
/usr/share/texmf/fonts/tfm/public/cmcyr
/usr/share/texmf/fonts/tfm/public/misc
/usr/share/texmf/fonts/tfm/public/euxm
/usr/share/texmf/fonts/tfm/public/latex
/usr/share/texmf/fonts/tfm/public/bbold
/usr/share/texmf/fonts/tfm/public/cs
/usr/share/texmf/fonts/tfm/public/wasy
/usr/share/texmf/fonts/tfm/public/cmbright
/usr/share/texmf/fonts/tfm/public/bbm
/usr/share/texmf/fonts/tfm/public/ae
/usr/share/texmf/fonts/tfm/public/qfonts
/usr/share/texmf/fonts/tfm/public/antt
/usr/share/texmf/fonts/tfm/public/xypic
/usr/share/texmf/fonts/tfm/public/eurosym
/usr/share/texmf/fonts/tfm/public/omega
/usr/share/texmf/fonts/tfm/public/qpx
/usr/share/texmf/fonts/tfm/public/cm
/usr/share/texmf/fonts/tfm/public/pl
/usr/share/texmf/fonts/tfm/public/txfonts
/usr/share/texmf/fonts/tfm/public/antp
/usr/share/texmf/fonts/tfm/public/concmath
/usr/share/texmf/fonts/tfm/public/stmaryrd
/usr/share/texmf/fonts/tfm/public/rsfs
/usr/share/texmf/fonts/tfm/public/pazo
/usr/share/texmf/fonts/tfm/public/mflogo
/usr/share/texmf/fonts/tfm/public/cmextra
/usr/share/texmf/fonts/tfm/public/cc-pl
/usr/share/texmf/fonts/tfm/public/gothic
/usr/share/texmf/fonts/tfm/public/marvosym
/usr/share/texmf/fonts/tfm/public/qtx
/usr/share/texmf/fonts/tfm/ams
/usr/share/texmf/fonts/tfm/ams/euler
/usr/share/texmf/fonts/tfm/ams/cyrillic
/usr/share/texmf/fonts/tfm/ams/symbols
/usr/share/texmf/fonts/tfm/ams/cmextra
/usr/share/texmf/fonts/tfm/yandy
/usr/share/texmf/fonts/tfm/yandy/mathtime
/usr/share/texmf/fonts/tfm/yandy/mathplus
/usr/share/texmf/fonts/tfm/yandy/times
/usr/share/texmf/fonts/tfm/yandy/mathpi
/usr/share/texmf/fonts/source/public/cs
/usr/share/texmf/fonts/source/jknappen
/usr/share/texmf/fonts/source/jknappen/ec
/usr/share/texmf/fonts/source/jknappen/tc
/usr/share/texmf/fonts/source/jknappen/sauter
/usr/share/texmf/fonts/source/lh
/usr/share/texmf/fonts/source/lh/lh-ot2
/usr/share/texmf/fonts/source/lh/lh-lcy
/usr/share/texmf/fonts/source/lh/lh-t2a
/usr/share/texmf/fonts/source/lh/lh-x2
/usr/share/texmf/fonts/source/lh/lh-t2b
/usr/share/texmf/fonts/source/lh/specific
/usr/share/texmf/fonts/source/lh/lh-t2c
/usr/share/texmf/fonts/source/lh/nont2
/usr/share/texmf/fonts/source/lh/base
/usr/share/texmf/fonts/source/lh/lh-t2d

In these directories everybody has write access. /usr/share isn't usually something you put on a separate partition so it's usually mounted suid. I don't even see a reason why the tetex' font directories should be writable to everybody anyway.

Is this a valid report or am I missing something?

Regards
Sebastian

Reproducible: Always

Steps to Reproduce:
1. Check tetex' font directories for their permissions
2.
3.

Actual Results:  
Permissions are to lax, they could be used for suid exploits
Comment 1 Matthias Geerdsen (RETIRED) gentoo-dev 2007-03-05 20:34:49 UTC 
text-markup, any comments?
Comment 2 Sebastian 2007-03-05 21:13:27 UTC 
Sorry everybody, the ebuild does indeed set proper permissions while merging. I messed up reporting this without checking properly. My bad.

Regards
Sebastian