Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 252734 (CVE-2008-5743) - app-text/pdfjam <1.20-r1 Multiple vulnerabilities (CVE-2008-5743, CVE-2008-5843)
Summary: app-text/pdfjam <1.20-r1 Multiple vulnerabilities (CVE-2008-5743, CVE-2008-5843)
Alias: CVE-2008-5743
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High major (vote)
Assignee: Gentoo Security
Whiteboard: B2/B1 [glsa]
Depends on:
Reported: 2008-12-27 18:51 UTC by Robert Buchholz (RETIRED)
Modified: 2009-03-07 16:23 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---

Patch to fix two security issues and the non-POSIXness (pdfjam-security.patch,3.80 KB, patch)
2008-12-28 11:40 UTC, Martin Väth
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Robert Buchholz (RETIRED) gentoo-dev 2008-12-27 18:51:20 UTC
CVE-2008-5743 (
  pdfjam creates the (1) pdf90, (2) pdfjoin, and (3) pdfnup files with
  a predictable name, which allows local users to overwrite arbitrary
  files via a symlink attack.
Comment 1 Robert Buchholz (RETIRED) gentoo-dev 2008-12-27 18:53:08 UTC
I wonder if other packages bundle this code?
Comment 2 Martin Väth 2008-12-28 11:40:09 UTC
Created attachment 176591 [details, diff]
Patch to fix two security issues and the non-POSIXness

Actually there is a much more severe security issue in pdfjam:
In the default setting it puts the current directory into PATH (because pdflatex has an empty dirname which is put at the beginning of PATH).

The attached patch fixes both security issues, for simplicity requiring that "mktemp -d" is available and working.

In addition, it replaces the non-POSIX "source" by ".": Since the scripts are #!/bin/sh and not #!/bin/bash the should be at least POSIX-conformal (these scripts would otherwise break in gentoo if /bin/sh is a symlink to dash).
Comment 3 Robert Buchholz (RETIRED) gentoo-dev 2008-12-28 13:48:54 UTC
This is even worse since the script changes to the tempdir before calling pdflatex:
  cd "$tempfileDir"
  "$pdflatex" --interaction batchmode "$texFile" > "$msgFile"

So you could either prepare a (e.g.) sed executable in $PWD or a pdflatex executable in /var/tmp. The patch looks fine to me, please bump.
Comment 4 Robert Buchholz (RETIRED) gentoo-dev 2008-12-28 14:04:33 UTC
(In reply to comment #1)
> I wonder if other packages bundle this code?

Just checked, could not find a copy of any of those scripts in our distfiles.
Comment 5 Stefan Behte (RETIRED) gentoo-dev Security 2009-01-13 23:06:06 UTC
A CVE was assigned:

Name:      CVE-2008-5843
Published: 2009-01-05
Severity:  Medium

Multiple untrusted search path vulnerabilities in pdfjam allow local
users to gain privileges via a Trojan horse program in (1) the current
working directory or (2) /var/tmp, related to the (a) pdf90, (b)
pdfjoin, and (c) pdfnup scripts.
Comment 6 Robert Buchholz (RETIRED) gentoo-dev 2009-01-14 14:11:05 UTC
tex herd, please apply the patch. 
Comment 7 Alexis Ballier gentoo-dev 2009-01-15 07:06:41 UTC
applied in -r1, thanks Martin for the patch
Comment 8 Robert Buchholz (RETIRED) gentoo-dev 2009-01-15 12:05:39 UTC
Arches, please test and mark stable:
Target keywords : "amd64 ppc x86"
Comment 9 Robert Buchholz (RETIRED) gentoo-dev 2009-01-15 12:07:17 UTC
Alexis, did you send the patch upstream as well? If not, I can do that.
Comment 10 Markus Meier gentoo-dev 2009-01-15 22:01:20 UTC
amd64/x86 stable
Comment 11 Alexis Ballier gentoo-dev 2009-01-16 10:41:20 UTC
(In reply to comment #9)
> Alexis, did you send the patch upstream as well? If not, I can do that.

Nope I didn't, I assumed Martin did.
Comment 12 Robert Buchholz (RETIRED) gentoo-dev 2009-01-16 12:02:23 UTC
Mailed upstream.
Comment 13 Tobias Scherbaum (RETIRED) gentoo-dev 2009-01-18 11:12:11 UTC
ppc stable, ready for glsa.
Comment 14 Robert Buchholz (RETIRED) gentoo-dev 2009-01-20 04:11:16 UTC
Upstream merged the patch and released 1.21.
Comment 15 Alexis Ballier gentoo-dev 2009-01-20 07:52:29 UTC
(In reply to comment #14)
> Upstream merged the patch and released 1.21.

and bumped, thanks for the notice
Comment 16 Robert Buchholz (RETIRED) gentoo-dev 2009-03-07 16:23:27 UTC
GLSA 200903-05