+++ This bug was initially created as a clone of Bug #337529 +++ /usr/libexec/TeXmacs/bin/tm_mupad_help sets a possibly insecure LD_LIBRARY_PATH value, allowing an attacker to execute arbitrary code by enticing a user to run the application from a specially crafted directory if LD_LIBRARY_PATH is empty before executing it: alex@neon ~ % grep -n LD_LIBRARY_PATH /usr/libexec/TeXmacs/bin/tm_mupad_help 29:LD_LIBRARY_PATH=$LD_LIBRARY_PATH:${MuPAD_ROOT_PATH}/${SYSINFO}/lib:/usr/local/X11R6/motif-2.0/lib:/usr/local/X11R6/lib:$MuPAD_ROOT_PATH/$SYSINFO/bin 30:export LD_LIBRARY_PATH Reported by Raphael Geissert as part of a Debian archive review.
Upstream will be informed soon, waiting for the issues to be published.
The Red Hat bug at https://bugzilla.redhat.com/show_bug.cgi?id=638427 is now public.
(In reply to comment #2) > The Red Hat bug at https://bugzilla.redhat.com/show_bug.cgi?id=638427 is now > public. Does this mean I may commit the fix to the tree? The fix is trivial (honestly speaking, I think nobody uses the TeXmacs - MuPAD interface: MuPAD is dead, and I doubt the interface worked with the latest versions of MuPAD before its death; so, the risk is minimal).
(In reply to comment #3) > Does this mean I may commit the fix to the tree? Yes, please, thank you. I am making this bug public now too.
Fix committed. Now we have to stabilize 1.0.7.2-r1 as soon as possible, and remove 1.0.7.2. Or, even better, stabilize 1.0.7.10, and remove 1.0.7.2, 1.0.7.2-r1.
Thank you. Arches, please stabilize =app-office/texmacs-1.0.7.2-r1 texmacs-1.0.7.10-r1 has an unstable qt4 USE flag, and the ebuild seems to suggest it's not masked. We're going to do a fast-track stabilization here, so let's avoid the trouble now.
(In reply to comment #6) > texmacs-1.0.7.10-r1 has an unstable qt4 USE flag, and the ebuild seems to > suggest it's not masked. Yes, it's not masked for a few versions already. The qt4 port is becoming much better, and is already quite usable. Maybe, it's time to remove the warning from pkg_setup. But the plain X version (-qt4) is still more stable.
Created attachment 266397 [details] Build log See QA notice
x86 stable. Thanks.
ppc stable
amd64 done. I am ignoring the QA issues for now since security problems are of higher priority
Stable on alpha.
What does the message * QA Notice: The following files contain insecure RUNPATHs * Please file a bug about this at http://bugs.gentoo.org/ * with the maintaining herd of the package. * usr/libexec/TeXmacs/bin/texmacs.bin actually mean? What is RUNPATH? And by what is it determined?
alpha/sparc stable
Thanks, folks. GLSA request filed.
This issue was resolved and addressed in GLSA 201401-27 at http://security.gentoo.org/glsa/glsa-201401-27.xml by GLSA coordinator Sean Amoss (ackle).