Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 536454 (CVE-2015-5700, CVE-2015-5701) - <app-text/texlive-2015: insecure use of /tmp in mktexlsr
Summary: <app-text/texlive-2015: insecure use of /tmp in mktexlsr
Alias: CVE-2015-5700, CVE-2015-5701
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Low minor (vote)
Assignee: Gentoo Security
Whiteboard: B4 [noglsa cve]
Depends on:
Reported: 2015-01-13 08:48 UTC by Agostino Sarubbo
Modified: 2018-01-25 02:08 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2015-01-13 08:48:03 UTC
From ${URL} :

It was reported [1] that mktexlsr script uses /tmp in an insecure way.
Part of original report:
This is how mktexlsr uses temporary files (with boring parts snipped):

# ...
while test $# -gt 0; do
   # ...
   (umask 077
   if echo "$1" >>"$treefile"; then :; else
     echo "$progname: $treefile: could not append to arg file, goodbye." >&2
     exit 1
   # ...

This is insecure because the filename is predictable and, more 
importantly, the program doesn't fail atomically if the file already 

Suggested patch is attached.


@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Alexis Ballier gentoo-dev 2016-12-01 17:37:56 UTC
fixed in kpathsea-6.2.1_p20150521-r2

this *cannot* go stable yet; we'll get the whole texlive 2015 stable together with bug #432144
Comment 2 Thomas Deutschmann (RETIRED) gentoo-dev 2016-12-01 18:22:43 UTC
CVE assignment:
Comment 3 Yury German Gentoo Infrastructure gentoo-dev 2017-04-30 21:00:47 UTC
Maintainer(s), please drop the vulnerable version(s).
Comment 4 Thomas Deutschmann (RETIRED) gentoo-dev 2017-06-04 22:05:56 UTC
Cleanup PR:
Comment 5 Christopher Díaz Riveros (RETIRED) gentoo-dev Security 2017-08-06 14:43:09 UTC

PR has QA issues. For more info:

Security Team Padawan
Comment 6 Aaron Bauman (RETIRED) gentoo-dev 2018-01-25 02:08:12 UTC
Tree is clean for this package.  texlive-core is not, but that is in bug #432144.

GLSA Vote: No