Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bugzilla DB migration completed. Please report issues to Infra team via email via infra@gentoo.org or IRC
Bug 536454 (CVE-2015-5700, CVE-2015-5701) - <app-text/texlive-2015: insecure use of /tmp in mktexlsr
Summary: <app-text/texlive-2015: insecure use of /tmp in mktexlsr
Status: RESOLVED FIXED
Alias: CVE-2015-5700, CVE-2015-5701
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Low minor (vote)
Assignee: Gentoo Security
URL: https://bugzilla.redhat.com/show_bug....
Whiteboard: B4 [noglsa cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2015-01-13 08:48 UTC by Agostino Sarubbo
Modified: 2018-01-25 02:08 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2015-01-13 08:48:03 UTC
From ${URL} :

It was reported [1] that mktexlsr script uses /tmp in an insecure way.
Part of original report:
...
This is how mktexlsr uses temporary files (with boring parts snipped):

treefile="${TMPDIR-/tmp}/mktexlsrtrees$$.tmp"
# ...
while test $# -gt 0; do
   # ...
   (umask 077
   if echo "$1" >>"$treefile"; then :; else
     echo "$progname: $treefile: could not append to arg file, goodbye." >&2
     exit 1
   fi
   # ...
done


This is insecure because the filename is predictable and, more 
importantly, the program doesn't fail atomically if the file already 
exists.
...

Suggested patch is attached.

[1]: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=775139


@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Alexis Ballier gentoo-dev 2016-12-01 17:37:56 UTC
fixed in kpathsea-6.2.1_p20150521-r2


this *cannot* go stable yet; we'll get the whole texlive 2015 stable together with bug #432144
Comment 2 Thomas Deutschmann gentoo-dev Security 2016-12-01 18:22:43 UTC
CVE assignment: http://seclists.org/oss-sec/2015/q3/250
Comment 3 Yury German Gentoo Infrastructure gentoo-dev Security 2017-04-30 21:00:47 UTC
Maintainer(s), please drop the vulnerable version(s).
Comment 4 Thomas Deutschmann gentoo-dev Security 2017-06-04 22:05:56 UTC
Cleanup PR: https://github.com/gentoo/gentoo/pull/4853
Comment 5 Christopher Díaz Riveros (RETIRED) gentoo-dev Security 2017-08-06 14:43:09 UTC
Ping.

PR has QA issues. For more info:

https://github.com/gentoo/gentoo/pull/4853

Security Team Padawan
ChrisADR
Comment 6 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2018-01-25 02:08:12 UTC
Tree is clean for this package.  texlive-core is not, but that is in bug #432144.

GLSA Vote: No