pdfjam creates the (1) pdf90, (2) pdfjoin, and (3) pdfnup files with
a predictable name, which allows local users to overwrite arbitrary
files via a symlink attack.
I wonder if other packages bundle this code?
Created attachment 176591 [details, diff]
Patch to fix two security issues and the non-POSIXness
Actually there is a much more severe security issue in pdfjam:
In the default setting it puts the current directory into PATH (because pdflatex has an empty dirname which is put at the beginning of PATH).
The attached patch fixes both security issues, for simplicity requiring that "mktemp -d" is available and working.
In addition, it replaces the non-POSIX "source" by ".": Since the scripts are #!/bin/sh and not #!/bin/bash the should be at least POSIX-conformal (these scripts would otherwise break in gentoo if /bin/sh is a symlink to dash).
This is even worse since the script changes to the tempdir before calling pdflatex:
"$pdflatex" --interaction batchmode "$texFile" > "$msgFile"
So you could either prepare a (e.g.) sed executable in $PWD or a pdflatex executable in /var/tmp. The patch looks fine to me, please bump.
(In reply to comment #1)
> I wonder if other packages bundle this code?
Just checked, could not find a copy of any of those scripts in our distfiles.
A CVE was assigned:
Multiple untrusted search path vulnerabilities in pdfjam allow local
users to gain privileges via a Trojan horse program in (1) the current
working directory or (2) /var/tmp, related to the (a) pdf90, (b)
pdfjoin, and (c) pdfnup scripts.
tex herd, please apply the patch.
applied in -r1, thanks Martin for the patch
Arches, please test and mark stable:
Target keywords : "amd64 ppc x86"
Alexis, did you send the patch upstream as well? If not, I can do that.
(In reply to comment #9)
> Alexis, did you send the patch upstream as well? If not, I can do that.
Nope I didn't, I assumed Martin did.
ppc stable, ready for glsa.
Upstream merged the patch and released 1.21.
(In reply to comment #14)
> Upstream merged the patch and released 1.21.
and bumped, thanks for the notice