Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 536454 (CVE-2015-5700, CVE-2015-5701)

Summary: <app-text/texlive-2015: insecure use of /tmp in mktexlsr
Product: Gentoo Security Reporter: Agostino Sarubbo <ago>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: aballier, tex
Priority: Low    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://bugzilla.redhat.com/show_bug.cgi?id=1181167
Whiteboard: B4 [noglsa cve]
Package list:
Runtime testing required: ---

Description Agostino Sarubbo gentoo-dev 2015-01-13 08:48:03 UTC
From ${URL} :

It was reported [1] that mktexlsr script uses /tmp in an insecure way.
Part of original report:
...
This is how mktexlsr uses temporary files (with boring parts snipped):

treefile="${TMPDIR-/tmp}/mktexlsrtrees$$.tmp"
# ...
while test $# -gt 0; do
   # ...
   (umask 077
   if echo "$1" >>"$treefile"; then :; else
     echo "$progname: $treefile: could not append to arg file, goodbye." >&2
     exit 1
   fi
   # ...
done


This is insecure because the filename is predictable and, more 
importantly, the program doesn't fail atomically if the file already 
exists.
...

Suggested patch is attached.

[1]: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=775139


@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Alexis Ballier gentoo-dev 2016-12-01 17:37:56 UTC
fixed in kpathsea-6.2.1_p20150521-r2


this *cannot* go stable yet; we'll get the whole texlive 2015 stable together with bug #432144
Comment 2 Thomas Deutschmann gentoo-dev Security 2016-12-01 18:22:43 UTC
CVE assignment: http://seclists.org/oss-sec/2015/q3/250
Comment 3 Yury German Gentoo Infrastructure gentoo-dev 2017-04-30 21:00:47 UTC
Maintainer(s), please drop the vulnerable version(s).
Comment 4 Thomas Deutschmann gentoo-dev Security 2017-06-04 22:05:56 UTC
Cleanup PR: https://github.com/gentoo/gentoo/pull/4853
Comment 5 Christopher Díaz Riveros (RETIRED) gentoo-dev Security 2017-08-06 14:43:09 UTC
Ping.

PR has QA issues. For more info:

https://github.com/gentoo/gentoo/pull/4853

Security Team Padawan
ChrisADR
Comment 6 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2018-01-25 02:08:12 UTC
Tree is clean for this package.  texlive-core is not, but that is in bug #432144.

GLSA Vote: No