+++ This bug was initially created as a clone of Bug #337529 +++
/usr/libexec/TeXmacs/bin/tm_mupad_help sets a possibly insecure LD_LIBRARY_PATH value, allowing an attacker to execute arbitrary code by enticing a user to run the application from a specially crafted directory if LD_LIBRARY_PATH is empty before executing it:
alex@neon ~ % grep -n LD_LIBRARY_PATH /usr/libexec/TeXmacs/bin/tm_mupad_help
Reported by Raphael Geissert as part of a Debian archive review.
Upstream will be informed soon, waiting for the issues to be published.
The Red Hat bug at https://bugzilla.redhat.com/show_bug.cgi?id=638427 is now public.
(In reply to comment #2)
> The Red Hat bug at https://bugzilla.redhat.com/show_bug.cgi?id=638427 is now
Does this mean I may commit the fix to the tree? The fix is trivial (honestly speaking, I think nobody uses the TeXmacs - MuPAD interface: MuPAD is dead, and I doubt the interface worked with the latest versions of MuPAD before its death; so, the risk is minimal).
(In reply to comment #3)
> Does this mean I may commit the fix to the tree?
Yes, please, thank you. I am making this bug public now too.
Now we have to stabilize 18.104.22.168-r1 as soon as possible, and remove 22.214.171.124. Or, even better, stabilize 126.96.36.199, and remove 188.8.131.52, 184.108.40.206-r1.
Thank you. Arches, please stabilize =app-office/texmacs-220.127.116.11-r1
texmacs-18.104.22.168-r1 has an unstable qt4 USE flag, and the ebuild seems to suggest it's not masked. We're going to do a fast-track stabilization here, so let's avoid the trouble now.
(In reply to comment #6)
> texmacs-22.214.171.124-r1 has an unstable qt4 USE flag, and the ebuild seems to
> suggest it's not masked.
Yes, it's not masked for a few versions already. The qt4 port is becoming much better, and is already quite usable. Maybe, it's time to remove the warning from pkg_setup. But the plain X version (-qt4) is still more stable.
Created attachment 266397 [details]
See QA notice
x86 stable. Thanks.
amd64 done. I am ignoring the QA issues for now since security problems are of higher priority
Stable on alpha.
What does the message
* QA Notice: The following files contain insecure RUNPATHs
* Please file a bug about this at http://bugs.gentoo.org/
* with the maintaining herd of the package.
actually mean? What is RUNPATH? And by what is it determined?
Thanks, folks. GLSA request filed.
This issue was resolved and addressed in
GLSA 201401-27 at http://security.gentoo.org/glsa/glsa-201401-27.xml
by GLSA coordinator Sean Amoss (ackle).